Check the notice against reality

  • Does it describe the categories of personal data collected?
  • Does it explain the purposes clearly?
  • Does it match forms, sign-up flows, payment flows, support workflows, and marketing tools?
  • Does it identify how someone can exercise rights or make a privacy complaint?
  • Does it include a business contact for privacy questions?

Red flags

  • Generic policy copied from another site
  • Tools used but not mentioned internally
  • No privacy contact
  • No withdrawal or rights route
  • Children’s data not considered
  • Vendor processing not understood