Book a demo Log in / Sign up

Privacy Notice Disclosure Template for the United States

Generate a bespoke document

  • England and Wales
  • Scotland
  • Northern Ireland
  • Ireland
  • United States
  • Alabama (USA)
  • Alaska (USA)
  • Arizona (USA)
  • Arkansas (USA)
  • California (USA)
  • Colorado (USA)
  • Connecticut (USA)
  • Delaware (USA)
  • Florida (USA)
  • Georgia (USA)
  • Hawaii (USA)
  • Idaho (USA)
  • Illinois (USA)
  • Indiana (USA)
  • Iowa (USA)
  • Kansas (USA)
  • Kentucky (USA)
  • Louisiana (USA)
  • Maine (USA)
  • Maryland (USA)
  • Massachusetts (USA)
  • Michigan (USA)
  • Minnesota (USA)
  • Mississippi (USA)
  • Missouri (USA)
  • Montana (USA)
  • Nebraska (USA)
  • Nevada (USA)
  • New Hampshire (USA)
  • New Jersey (USA)
  • New Mexico (USA)
  • New York (USA)
  • North Carolina (USA)
  • North Dakota (USA)
  • Ohio (USA)
  • Oklahoma (USA)
  • Oregon (USA)
  • Pennsylvania (USA)
  • Rhode Island (USA)
  • South Carolina (USA)
  • South Dakota (USA)
  • Tennessee (USA)
  • Texas (USA)
  • Utah (USA)
  • Vermont (USA)
  • Virginia (USA)
  • Washington (USA)
  • West Virginia (USA)
  • Wisconsin (USA)
  • Wyoming (USA)
  • Austria
  • Denmark
  • France
  • Germany
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • Switzerland
  • Australia
  • New Zealand
  • Singapore
  • Hong Kong
  • India
  • Malaysia
  • Pakistan
  • United Arab Emirates
  • Qatar
  • Saudi Arabia
  • South Africa
  • Nigeria
  • Canada
  • Brasil
  • Monaco
  • Bermuda
  • Cayman Islands
  • Gibraltar
  • Isle of Man
  • Mauritius

What is a Privacy Notice Disclosure?

The Privacy Notice Disclosure is essential for any organization operating in the United States that collects, processes, or stores personal information. This document is required by various federal and state privacy laws and must be provided to individuals before or at the point of data collection. It should be regularly updated to reflect changes in data practices and evolving privacy regulations. The Privacy Notice Disclosure typically includes information about data collection methods, processing purposes, sharing practices, security measures, and individual rights regarding their personal information.

Frequently Asked Questions

Is a Privacy Notice Disclosure legally binding in the United States?

Yes, Privacy Notice Disclosures are legally required and binding under federal laws like HIPAA, GLBA, and COPPA, as well as state privacy laws such as California's CCPA and CPRA. Organizations must comply with these notices and face significant penalties for violations, including fines up to $7,500 per violation under CCPA and potential criminal charges under HIPAA.

What penalties can I face if my Privacy Notice Disclosure is missing or incomplete?

Missing or incomplete privacy notices can result in severe penalties including CCPA fines up to $7,500 per violation, FTC enforcement actions with potential millions in penalties, and class-action lawsuits. Under HIPAA, violations can lead to fines up to $1.5 million per incident and potential criminal charges. State attorneys general can also impose additional penalties under local privacy laws.

Which specific US privacy laws require a Privacy Notice Disclosure?

Federal laws requiring privacy notices include HIPAA (healthcare), GLBA (financial services), COPPA (children under 13), and FERPA (education records). State laws like California's CCPA/CPRA, Virginia's CDPA, and Colorado's CPA also mandate specific privacy disclosures. Requirements vary by industry, data types collected, and states where you operate or serve consumers.

How is a Privacy Notice Disclosure different from Terms of Service?

A Privacy Notice Disclosure specifically focuses on data collection, use, sharing, and consumer privacy rights as required by privacy laws. Terms of Service govern the overall relationship and usage rules between a business and users. While Terms of Service are contractual agreements, Privacy Notices are regulatory compliance documents with specific legal formatting and content requirements under privacy statutes.

How long does it typically take to create a compliant Privacy Notice Disclosure?

Creating a comprehensive Privacy Notice Disclosure typically takes 2-4 weeks with legal review, including time to audit data practices, identify applicable laws, draft policy language, and ensure cross-jurisdictional compliance. Simple businesses may complete basic notices in 1-2 weeks, while complex organizations handling sensitive data across multiple states may require 4-8 weeks for proper compliance review.

Common mistakes businesses make with Privacy Notice Disclosures in the US?

Common mistakes include using generic templates without state-specific customization, failing to update notices when data practices change, not providing required consumer rights information under CCPA, and inadequate disclosure of third-party data sharing. Many businesses also fail to post notices prominently, don't provide notices in required languages, or omit industry-specific requirements like HIPAA's minimum necessary standard.

When must I provide a Privacy Notice Disclosure to consumers under US law?

Privacy notices must be provided at or before the point of data collection under most US privacy laws. CCPA requires notice at collection, GLBA mandates notices annually and when privacy practices change, and HIPAA requires notices at first service delivery. The notice must be conspicuously posted, easily accessible, and provided in a clear, understandable format before any personal information is collected.

Reviewed by

Swetha Meenal

Legal Engineer, GenieAI

Swetha Meenal profile photo

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

LinkedIn

Reviewed by

Imad Mohammed Nazar

Legal Engineer, GenieAI

Imad Mohammed Nazar profile photo

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

LinkedIn

Jurisdiction

United States

Reviewed by

Swetha Meenal & Imad Mohammed Nazar

Publisher

GenieAI

Category

Privacy Notice

Sector

Business

Cost

Free to use

Last updated

About the Privacy Notice Disclosure

Your Privacy Notice Disclosure is a fundamental legal document that ensures your organization complies with United States privacy laws while building trust with your customers. This comprehensive notice explains how you collect, use, share, and protect personal information, serving as your primary communication tool for data transparency requirements under federal and state regulations.

When do you need this document?

You need a Privacy Notice Disclosure if your organization collects any personal information from individuals in the United States. This includes businesses with websites that gather email addresses, healthcare providers handling patient data, financial institutions processing customer information, and companies serving California residents under CCPA requirements. E-commerce sites, mobile apps, subscription services, and any organization that uses cookies or tracking technologies must also provide this disclosure. Educational institutions, nonprofits, and government agencies that collect personal data are equally required to maintain current privacy notices. The disclosure must be accessible before or at the point of data collection and prominently displayed on your website or in your application.

Key legal considerations

Your Privacy Notice Disclosure must accurately reflect your actual data practices and cannot contain misleading statements about data collection or use. The notice should clearly identify what personal information you collect, including both directly provided data and automatically collected information like IP addresses and browsing behavior. You must explain the specific purposes for data processing, identify third parties who receive shared information, and detail how individuals can exercise their privacy rights. The document should address data retention periods, security measures implemented to protect personal information, and procedures for handling data breaches. International data transfers require specific disclosures about cross-border data sharing and applicable safeguards. Your notice must also include contact information for privacy inquiries and specify how individuals will be notified of material changes to your privacy practices.

Legal requirements in United States

Under United States law, your Privacy Notice Disclosure must comply with multiple overlapping federal and state regulations depending on your industry and customer base. CCPA and CPRA require California-serving businesses to provide detailed disclosures about data categories collected, business purposes, and consumer rights including deletion and opt-out options. HIPAA-covered healthcare entities must include specific language about medical information protection and patient rights. Financial institutions under GLBA must explain information-sharing practices and provide annual privacy notices. COPPA compliance requires special provisions for children under 13, including parental consent mechanisms. The FTC Act mandates that all privacy statements be truthful and not deceptive, with enforcement action possible for misleading disclosures. State laws beyond California, including Virginia's CDPA and Colorado's CPA, impose additional requirements for businesses serving those jurisdictions. Your notice must be written in clear, understandable language and regularly updated to maintain compliance as your data practices evolve.

GOVERNING LAW

Applicable law

This Privacy Notice Disclosure is drafted to comply with United States law. Key legislation includes:

CCPA/CPRA: California Consumer Privacy Act and California Privacy Rights Act - Comprehensive privacy laws that apply to businesses serving California residents, requiring specific disclosures about data collection, use, and consumer rights

GLBA: Gramm-Leach-Bliley Act - Federal law requiring financial institutions to explain their information-sharing practices and protect sensitive data

HIPAA: Health Insurance Portability and Accountability Act - Federal law governing privacy and security of medical information for healthcare entities

COPPA: Children's Online Privacy Protection Act - Federal law regulating the collection and use of personal information from children under 13

FTC Act: Federal Trade Commission Act - Broad consumer protection law that prohibits unfair or deceptive practices, including privacy and data security violations

CAN-SPAM Act: Law setting rules for commercial email practices, including privacy disclosures in marketing communications

VCDPA: Virginia Consumer Data Protection Act - State law providing privacy rights to Virginia residents and obligations for businesses processing their data

CPA: Colorado Privacy Act - State law establishing privacy rights for Colorado residents and requirements for businesses handling their personal data

CTDPA: Connecticut Data Privacy Act - State law protecting privacy rights of Connecticut residents and regulating business data practices

UCPA: Utah Consumer Privacy Act - State law providing privacy protections for Utah residents and establishing business compliance requirements

GDPR: General Data Protection Regulation - EU privacy law with extraterritorial scope, affecting US businesses serving EU residents

PIPEDA: Personal Information Protection and Electronic Documents Act - Canadian federal privacy law affecting US businesses serving Canadian residents

Explore 208,390+ legal templates

Explore 208,390+ legal templates

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it