Privacy policy: what should be published?

Updated April 2026 - A privacy policy should not be generic text added to the footer. It is the cornerstone of your company's GDPR compliance and must clearly explain how you collect, use, store and protect the personal data of your customers, prospects and Internet users.

See also: Digitalization of businesses, File a complaint for breach of trust and legal AI.

The privacy policy is a legal document which informs the people whose data you process about the conditions of this processing. It meets the information obligation provided for by Articles 13 and 14 of the General Data Protection Regulation (GDPR), in force since May 2018.

In practice, this document must be accessible from each page of your website, readable and understandable by a non-lawyer. The CNIL regularly reminds us of this in its guidelines: information must be "concise, transparent, understandable and easy to access".

Confusion is common, but the two documents have neither the same purpose nor the same legal basis.

The two documents are therefore complementary and mandatory for any professional site. Not confusing them is the first step to successful compliance.

Each company has specific treatments, but certain mentions are essential. Here is the complete list of sections to include:

1. Identity of the data controller#

This is generally your company (company name, head office address, SIRET number). If you have designated a data protection officer (DPO), their contact details must also appear.

2. Purposes of processing#

For each category of data collected, you must specify the objective pursued:

• management of contact requests via form;
• sending newsletters and commercial communications;
• execution of a contract or provision of a service;
• audience analysis and navigation statistics;
• management of applications and recruitment;
• order processing and invoicing.

3. Legal basis for each processing#

The GDPR requires that each processing operation be based on one of the six legal bases in Article 6:

• consent of the person (e.g.: marketing cookies, newsletter);
• execution of a contract (e.g.: billing data);
• legal obligation (e.g.: conservation of accounting documents);
• legitimate interest of the data controller (e.g.: security of the information system).

Specifying the legal basis for each purpose is not optional. The CNIL has reiterated this on numerous occasions in its practical guides.

4. Data recipients#

Who has access to the data? Your internal team? An IT service provider? A CRM tool hosted abroad? Each category of recipients must be mentioned.

5. Shelf life#

Data cannot be retained indefinitely. You must indicate precise durations:

• customer contact data: 3 years after the last contact (CNIL recommendation);
• invoices and accounting documents: 10 years (tax obligation);
• application data: 2 months maximum after the last exchange (unless explicitly agreed);
• audience measurement cookies: 13 months maximum.

6. Rights of individuals#

Any person whose data you process has rights that they can exercise at any time:

• right of access to its data;
• right of rectification;
• right to erasure ("right to be forgotten");
• right to limitation of processing;
• right to portability;
• right of opposition, in particular to profiling and commercial prospecting.

Specify the concrete terms of exercise: dedicated e-mail address, online form, response time (1 month maximum).

7. Transfers outside the European Union#

If you use tools whose servers are located outside the EU (Google Analytics, Meta, etc.), you must inform people and mention the guarantees put in place (standard contractual clauses, adequacy decisions).

In our daily practice, we find that the majority of confidentiality policies presented on SME sites have the same shortcomings:

• text too generic, often copy-pasted from an online model without adaptation;
• absence of detail on the forms: no information at the time of collection;
• no mention of cookies or vague référence to a "banner" without a link to a dedicated policy;
• shelf life periods absent or indicated indefinitely ("as long as necessary");
• poorly presented rights: simple list of rights without terms of exercise;
• information on subcontractors missing: the customer does not know who processes his data.

These defects are not trivial. In 2025, the CNIL imposed sanctions totaling more than 70 million euros, several of which specifically concerned a failure to inform individuals. The risk is therefore not theoretical.

Hayot Expertise advice: start from the actual uses of your site: contact form, application, newsletter, analytics, cookies, CRM, payment, appointment making. Each use corresponds to a treatment which must be documented.

Managing cookies remains one of the most complex topics for businesses. The CNIL published clear guidelines in September 2020, since updated, which apply to all websites accessible from France.

To be compliant, you must put in place:

• a cookies banner visible upon arrival on the site, before any deposit of non-essential tracers;
• a préférence center allowing you to accept or refuse each category of cookies individually;
• detailed information on the nature of each tracer, its purpose and its lifespan;
• proof of consent (or refusal) kept for a maximum of 13 months.

Since 2026, European data protection authorities have been strengthening their cooperation on this subject. Several recent decisions have confirmed that consent must be "free, specific, informed and unambiguous". Simply continuing to browse no longer constitutes consent.

Good to know: cookies strictly necessary for the operation of the site (shopping cart, authentication, security) do not require consent. Audience measurement cookies are also "exempt", under strict conditions defined by the CNIL.

The CNIL provides information notice models that can be adapted to your situation. We recommend the following approach:

1. Map your processing: list all the data collected, their source, their purpose and their recipient.
2. Identify the legal bases: each processing must be based on a valid basis.
3. Write in accessible language: avoid legal jargon, use short sentences, structure with titles.
4. Integrate the information in the right place: the policy must be accessible from each page, and specific information must be displayed at the time of collection (contact form, newsletter registration).
5. Review regularly: with each new service, new tool or change in legislation, update your policy.

A useful privacy policy is clear, concrete and aligned with the company's actual treatments. In 2026, the risk is not only legal: imprecise information also damages the trust your customers and prospects place in you.

Data protection authorities continue to strengthen their action. In France, the CNIL has increased inspections and formal notices. Taking the time to write a serious policy is not a constraint: it is an investment in the relationship of trust with your customers.

Make your mentions and GDPR documentation reliable

(Official sources: Entreprendre.Service-Public.fr on mandatory notices, CNIL on information notice models, CNIL on cookies, CNIL on the right to information)