6064 min read

Privacy Policy, GDPR, and Cookie Consent: What Your Website Legally Needs (Part 15 of 20)

Varun Dubey

Founder, Wbcom Designs · Published Mar 10, 2026 · Updated Mar 26, 2026

Email Marketing Consent and Privacy

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Email marketing has its own consent requirements on top of GDPR. Under GDPR, you need explicit opt-in consent to send marketing emails to subscribers. Under CAN-SPAM (US), opt-in is not required but unsubscribe must work within 10 days. Under CASL (Canada), explicit opt-in is required for commercial messages, with the only exceptions being existing business relationships.

For a globally compliant email list: use a double opt-in confirmation (subscriber clicks a link in a confirmation email before being added to your list), record the date, IP, and method of consent for each subscriber, honor unsubscribe requests within 24 hours (not 10 days - be faster than legally required), and never purchase email lists. These practices satisfy all major jurisdictions simultaneously.

Most email marketing platforms (Mailchimp, ConvertKit, ActiveCampaign) store consent data automatically when using their forms. Verify that your forms are creating proper consent records by checking the subscriber records in your platform’s dashboard.

Privacy-First Analytics Options

Google Analytics requires consent under GDPR because it sets tracking cookies and sends data to Google’s servers in the US. If you want analytics without the consent overhead, privacy-first alternatives are available:

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Switching to a privacy-first analytics tool eliminates the need for analytics cookie consent, simplifies your cookie consent banner, and often speeds up your site (privacy-first tools load a much smaller script than Google Analytics).

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Checking a “I have read and agree to the Terms of Service” box during registration creates a documented record of acceptance. For GDPR consent, separate checkboxes for each consent purpose (email marketing vs necessary account data) are required - bundled consent is not valid.

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

COPPA: Protecting Children’s Privacy

COPPA (Children’s Online Privacy Protection Act) prohibits collecting personal information from children under 13 without verifiable parental consent. If your website is directed at children, or if you know you have users under 13, COPPA compliance is legally required. The FTC has issued substantial fines for COPPA violations (Google/YouTube paid $170 million in 2019).

For most business and community sites not targeting children, the practical requirement is: include a minimum age requirement in your ToS (typically 13 or 16 for EU sites), and add a date of birth or age check to registration forms if there is any possibility of underage users.

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

DMCA Agent Registration for UGC Sites

If your site allows users to upload content (images, videos, documents, comments), the DMCA (Digital Millennium Copyright Act) safe harbor provisions protect you from liability for copyright infringement by users - but only if you have registered a DMCA agent with the US Copyright Office and have a working takedown process.

Registration costs $6 and takes 15 minutes at copyright.gov/dmca-directory. Add a DMCA policy page to your site explaining your takedown process, and designate an email address or form for receiving DMCA notices. For community platforms like BuddyPress-powered sites with user-generated content, this registration is important protection.

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

PCI DSS: Payment Security Compliance

If your website accepts payment card payments, PCI DSS (Payment Card Industry Data Security Standard) applies. The easiest path to PCI compliance is to never handle card data yourself - use a hosted payment page or an embedded payment form from a compliant processor (Stripe, PayPal, Square). When card data goes directly to the processor’s servers and never touches yours, your PCI scope is dramatically reduced to PCI SAQ A (the simplest self-assessment questionnaire).

Do not collect card numbers in your own forms. Do not store card numbers anywhere in your database. Stripe’s Stripe.js and Elements, PayPal’s Smart Buttons, and WooCommerce’s official Stripe and PayPal plugins handle this correctly by collecting payment details client-side and tokenizing them before sending to your server.

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Accessibility Requirements: ADA and WCAG 2.1

The Americans with Disabilities Act (ADA) has been interpreted by US courts to apply to websites. WCAG (Web Content Accessibility Guidelines) 2.1 Level AA is the de facto compliance standard cited in ADA lawsuits and DOJ guidance. Websites that fail accessibility standards face litigation risk from accessibility advocacy organizations and individual plaintiffs.

Core WCAG 2.1 AA requirements: text alternatives for images (alt attributes), sufficient color contrast (4.5:1 ratio for normal text), keyboard navigability, screen reader compatibility, captions for video, and no content that flashes more than 3 times per second (seizure risk). Run your site through WAVE (wave.webaim.org) or axe (free browser extension) for a free accessibility audit. Fix high-severity issues first.

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

CCPA and California Requirements

The California Consumer Privacy Act (CCPA), updated to CPRA effective January 2023, applies to for-profit businesses that: have annual gross revenue over $25 million, buy/sell/share personal information of 100,000+ California residents per year, or earn 50%+ of revenue from selling personal information. Many small websites do not meet these thresholds - but if you run any advertising, use Google Analytics with data sharing enabled, or use behavioral advertising pixels (Facebook Pixel), you may be “selling” or “sharing” data under the CCPA’s broad definitions.

The practical requirement for most websites: add a “Do Not Sell or Share My Personal Information” link in your site footer. Most cookie consent plugins (CookieYes, Complianz) include CCPA-specific settings that display this link only to California visitors.

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Every third-party service that processes personal data on your behalf must have a Data Processing Agreement (DPA) with you. This includes: Google Analytics (sign Google’s DPA), email marketing platforms (Mailchimp DPA, ConvertKit DPA), payment processors (Stripe DPA, PayPal DPA), cloud hosting providers (Cloudways, Kinsta - both have DPAs available).

Most major vendors have DPAs available for download or electronic signature in their settings dashboards. Completing them is a 10-minute task per vendor. Not having them signed is a GDPR violation even if everything else is in order.

Data Export and Deletion

WordPress has built-in data export and erasure tools under Tools > Export Personal Data and Tools > Erase Personal Data (added in WordPress 4.9.6). These work for core WordPress data but may not cover plugin data. Check if your WooCommerce orders, BuddyPress profiles, or form submissions have their own export/erasure tools.

Breach Notification

GDPR requires notifying your supervisory authority within 72 hours of discovering a data breach that poses risk to individuals. If the breach is likely to result in high risk to individuals, you must also notify affected users directly. Designate someone responsible for breach assessment and notification in your organization.

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

Complianz is the best overall choice for most WordPress sites. The free version covers the basics including geo-targeting (showing consent banners only to visitors from GDPR jurisdictions) and consent logging. It scans your site for cookies automatically and suggests categories. The setup wizard walks through configuration in under 30 minutes.

CookieBot (now Usercentrics) is the most established enterprise option with full IAB TCF (Transparency and Consent Framework) support. If you run advertising or work with ad tech partners who require TCF consent strings, CookieBot is the standard choice.

Real Cookie Banner focuses on German compliance requirements (which are stricter than baseline GDPR) and provides consent documentation that satisfies German data protection authorities. For sites primarily targeting German users, it is the most thorough option.

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The EU’s ePrivacy Directive (the “Cookie Law”) and GDPR together require that websites obtain prior, informed, freely given, specific, and unambiguous consent before setting any non-essential cookies. “Prior” means before the cookie is set - not after the visitor has already been tracked for a session.

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Unlike a privacy policy (legally required if you collect personal data), a Terms of Service (ToS) is not legally mandated - but it protects you. A ToS defines the rules for using your website or service, limits your liability, establishes which jurisdiction’s laws govern disputes, and sets expectations for user behavior.

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

For community platforms and marketplaces, the ToS becomes especially important because it establishes rules for user-generated content, sets moderation standards, and defines the relationship between you and users who buy/sell on the platform.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Termageddon is the strongest choice for ongoing compliance. Laws change - CCPA became CPRA, Brazil’s LGPD was amended, state-level US laws keep being enacted. Termageddon monitors legal changes and automatically updates your hosted policy when relevant laws change. The $99/year is cheap compared to the cost of having an outdated policy cited in a complaint.

iubenda generates policies and also provides a consent management platform, making it a good all-in-one if you want both the policy and the cookie consent tool from one provider. Their pricing scales by features and site traffic.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

A privacy policy is a legal document disclosing how you collect, use, store, and share personal data. It must be written in plain language (GDPR specifically requires this), and it must be accurate - a generic template that does not reflect your actual data practices is not GDPR-compliant.

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Most websites operate in a fog of legal uncertainty. The owner vaguely knows they need a privacy policy. They installed a cookie consent banner at some point. They assume they are probably compliant with GDPR. In most cases, that assumption is wrong - and the gap between “probably compliant” and “actually compliant” is where regulatory fines and user lawsuits happen.

This guide covers the legal requirements that actually apply to websites operating in 2026: privacy laws across major jurisdictions, what your privacy policy must contain, terms of service basics, cookie consent mechanics, and the compliance checklist that covers 95% of what regulators look for. It is practical and specific - not a legal treatise, but a working reference for website owners.

Privacy Laws That May Apply to Your Website

The most important privacy laws are not limited to businesses in the jurisdiction where the law was passed. GDPR applies to any business that processes data of EU residents, regardless of where the business is located. A small US website that sells to European customers is subject to GDPR. This extraterritorial reach is now common in modern privacy legislation.

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

The practical implication: if your website is publicly accessible and you collect any data (email signups, contact forms, cookies, analytics), you are almost certainly subject to GDPR if any of your visitors are in the EU. Given that EU-based visitors reach most English-language websites, treat GDPR compliance as a baseline requirement.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Privacy Laws That May Apply to Your Website

Law	Jurisdiction	Who It Applies To	Key Requirements	Maximum Fine
GDPR	European Union	Any business processing EU resident data	Lawful basis for processing, consent, data subject rights, DPO for large processors	4% annual revenue or 20M EUR
CCPA/CPRA	California, USA	Businesses meeting revenue/data thresholds that collect CA resident data	Right to know, right to delete, right to opt-out of sale, no discrimination for exercising rights	$7,500 per intentional violation
LGPD	Brazil	Any business processing Brazilian resident data	Similar to GDPR - lawful basis, consent, data subject rights	2% Brazilian annual revenue (up to R$50M)
PIPEDA	Canada	Canadian businesses and those collecting Canadian resident data commercially	Consent, purpose limitation, data subject access rights	Up to CAD $100,000
UK GDPR	United Kingdom	Businesses processing UK resident data (post-Brexit)	Similar to EU GDPR, administered by ICO	4% annual turnover or £17.5M

What Your Privacy Policy Must Include

Required Sections

Who you are: Business name, registered address, contact information, DPO contact if applicable
What data you collect: Specific categories (name, email, IP address, cookies, payment information, device data)
How you collect it: Contact forms, analytics, cookies, user registration, purchases
Why you collect it (lawful basis under GDPR): Legitimate interest, contract performance, legal obligation, or consent
How long you keep it: Retention periods for each data type
Who you share it with: Named third parties (Google Analytics, payment processors, email platforms, cloud hosting providers)
Your data subject rights: Right to access, correct, delete, restrict processing, data portability, and object to processing
Cookie information: What cookies you use and why
How to contact you: Email address or form for privacy inquiries
How you will notify of changes: How users will be informed of policy updates

Privacy Policy Generators: Comparison

Service	Price	Approach	Auto-updates	Covers
Termageddon	$99/yr per site	Questionnaire generates legally reviewed policy	Yes - auto-updates when laws change	GDPR, CCPA/CPRA, PIPEDA, LGPD, UK GDPR, and more
iubenda	From $27/yr	Self-service builder with legal database	Yes	GDPR, CCPA, LGPD, CalOPPA, and others
TermsFeed	From $14 one-time per policy	Questionnaire-based generator	No (manual updates required)	GDPR, CCPA, and others
GetTerms	Free to $10/mo	Simple template generator	Limited	Basic coverage, less jurisdiction-specific

Terms of Service: What You Actually Need

Key Sections in a Terms of Service

Acceptance of terms: How users agree (using the site implies acceptance, or explicit checkbox for services)
What your service does and does not do: Clear description of what you offer
User obligations: What users can and cannot do (no illegal use, no spam, no reverse engineering)
Intellectual property: Who owns content created on your platform; your license to display user-uploaded content
Payment terms: Refund policy, billing cycles, what happens on non-payment (for paid services)
Limitation of liability: Cap on damages you are liable for
Disclaimer of warranties: Service provided “as is”
Termination: Under what conditions you can suspend or terminate accounts
Dispute resolution: Arbitration clause, jurisdiction, and governing law
Changes to terms: How you will notify users of updates

Cookie Consent: What the Law Actually Requires

The key practical requirements:

No pre-ticked boxes: Consent must be active (the user clicks “Accept”), not passive (accepting by scrolling or continuing to browse)
Granular consent: Users must be able to consent to analytics cookies separately from marketing cookies. A single “Accept All” option without a “Reject All” equivalent is not valid consent.
Easy withdrawal: Users must be able to withdraw consent as easily as they gave it. A cookie settings link in the footer is the standard.
No cookie wall: Refusing consent cannot be a condition of accessing the site (in most cases)
Consent records: You must store a record of what was consented to, when, and by which user

Cookie Categories

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, login authentication, shopping cart, CSRF tokens	No - these are exempt
Functional	Language preferences, timezone, saved preferences	Depends - often requires consent
Analytics	Google Analytics, Matomo, Hotjar session recordings	Yes under GDPR
Marketing/Advertising	Facebook Pixel, Google Ads, retargeting, social media tracking pixels	Yes - requires explicit consent

Cookie Consent Plugins Compared

Plugin	Free Version	Paid Plans	Geo-targeting	Consent Logs	Script Blocking	IAB TCF
CookieYes	Yes (limited scans)	From $10/mo	Paid	Paid	Yes	Yes (paid)
Complianz	Yes (comprehensive)	From $49/yr	Yes (free)	Yes (free)	Yes	Yes
CookieBot (Usercentrics)	Up to 100 pages	From $16/mo	Yes	Yes	Yes	Yes
Real Cookie Banner	Free (basic)	From $39 one-time	No	Yes (free)	Yes	No
GDPR Cookie Compliance	Yes	From $59/yr	Paid	Paid	Yes	Limited

GDPR Compliance Checklist

Data Mapping

List every type of personal data you collect (name, email, IP, payment info, behavioral data)
Document where each data type comes from (form, cookie, purchase, registration)
Document where each data type is stored (your server, email platform, CRM, analytics service)
Document who processes each data type (your team, third-party processors)
Document retention periods for each data type

Lawful Basis

Identify the lawful basis for each processing activity (consent, contract, legitimate interest, legal obligation)
For consent-based processing: implement proper consent collection (no pre-tick, granular, withdrawable)
For legitimate interest: document your Legitimate Interests Assessment (LIA)

Data Subject Rights

Process for handling access requests (provide data within 30 days)
Process for deletion requests (erase data within 30 days, with exceptions)
Process for portability requests (export data in machine-readable format)
Process for correction requests (update inaccurate data)
Document where you receive these requests (email address or form)

Data Processing Agreements

Data Export and Deletion

Breach Notification

CCPA and California Requirements

Accessibility Requirements: ADA and WCAG 2.1

PCI DSS: Payment Security Compliance

DMCA Agent Registration for UGC Sites

COPPA: Protecting Children’s Privacy

Legal Page Templates and Placement

Your legal pages need to be accessible. The standard placement:

Privacy Policy: Link in footer, link from registration forms, link from cookie consent banner, link from checkout pages
Terms of Service: Link in footer, link from registration with “I agree” checkbox, link from checkout
Cookie Policy: Link in cookie consent banner (either separate page or section in Privacy Policy)
DMCA Policy: Link in footer if you have user-generated content

Ongoing Compliance Maintenance

Privacy compliance is not a one-time checkbox - laws change, your site changes, and new tools get added that collect new data. Build these maintenance tasks into your regular schedule:

Task	Frequency	Notes
Review privacy policy for accuracy	Quarterly	Does it reflect all current data practices? New plugins? New analytics?
Run cookie scan	Monthly	New plugins often add cookies. Rescan after any plugin install.
Verify DPAs are current	Annually	Vendors update their DPAs. Check all signed agreements are still current versions.
Review consent records	Annually	Ensure consent log storage is working and records are accessible.
Check for new applicable laws	Quarterly	US state privacy laws are being enacted rapidly. Subscribe to IAPP newsletter.
Accessibility audit	Annually	Run WAVE scan after major design changes.

Email Marketing Consent and Privacy

Privacy-First Analytics Options

Matomo (self-hosted): Full-featured analytics, self-hosted so data stays on your server. Cookie-less mode available. Does not require consent under most GDPR interpretations when configured correctly.
Plausible: From $9/month. No cookies, no personal data, GDPR-compliant by design. Simple dashboard with key metrics.
Fathom Analytics: From $14/month. Similar to Plausible, privacy-focused, no consent banner required.

Series Navigation

This post is part of the Website Owner’s Toolkit - a 21-part series covering everything you need to run a successful website.

Wbcom Weekly

WordPress, Laravel, AI engineering - one short email every Friday.

Hire Wbcom

Work with our team

Full-stack engineering across WordPress, Laravel, Astro, and AI.

Talk to us

Featured Product

Jetonomy Pro

From $69

Once your forum is busy, you need engagement (reactions, polls, badges) and ops (analytics, webhooks, push). Jetonomy Pro ships 14 modular e...

View details

Discover More

Browse all products