This factor is part of Web Standards — the
table-stakes binary layer of the score. It is graded pass/fail and gates
the Web Quality score; it is not weighted into Web Quality itself.
Pass criteria
Tolerant — passes on pass or warn.
Web Standards label
Privacy policy published
Excluded for
Personal site
Why it's required
Any site collecting visitor data — analytics, cookies, forms — is required to disclose it. Personal one-pagers are exempt.
Same factor, two depths.
What this means for your business
Every state and country with a privacy law requires one, and Google, Apple, and Meta all refuse to run ads from sites without it. Missing this is the fastest way to get an ad account suspended or a lawyer's letter.
Plain title: You have a privacy policy page
What we measure
Every public-facing site needs a privacy policy. It's required by GDPR, CCPA, and COPPA — and it's a basic trust signal for any visitor.
How to improve your score
Generate one with Termly or iubenda, or copy and adapt a template. Link it from your footer on every page.
Facts
Ticket
WEBQ-47
Category
Privacy & Compliance
Status
live
Weight
1.3%
Data source
—
Service cost
Free — probe `/privacy`, `/privacy-policy`, plus footer links
Scoring impl
implemented
Method version
v1.2.0
Implementation notes
HTTP probe for common URLs plus footer link extraction looking for "privacy" text.
When this applies
Privacy policies are not required for purely personal, non-commercial sites.
Marked n/a for site types: Personal site.
Scoring
Scoring formulas are versioned with the methodology. The current method
(v1.2.0)
maps raw measurements to pass, warn,
fail. Factor weights determine how much each contributes to the
composite — see the methodology index for the full table.
Cited by these standards
Standards in the Standards Library whose satisfiedBy requirement tree references this factor. Each link goes to the standard's full entry — methodology, scope, and the other factors it relies on.
Australian Privacy Act + APPsPrivacyAUAustralia's federal privacy law, anchored on the 13 Australian Privacy Principles. The 2024 reforms added a statutory tort for serious privacy invasions and direct OAIC penalty powers.
CCPA / CPRAPrivacyUSCalifornia's privacy law. The visible signal is the 'Do Not Sell or Share My Personal Information' link in your footer.
Colorado Privacy ActPrivacyUSColorado's CCPA-shaped privacy law, with a hard requirement to honour Universal Opt-Out Mechanisms like Global Privacy Control as of July 2024.
Connecticut Data Privacy ActPrivacyUSConnecticut's CCPA-shaped privacy law. Like Colorado, recognises Global Privacy Control as a valid opt-out signal — and the AG has been actively issuing cure notices since 2023.
COPPAPrivacyUSIf your site is directed at U.S. children under 13 — or you knowingly collect from them — you need verifiable parental consent before any data collection. The 2025 amendments tightened this further around third-party advertising.
GDPRPrivacyEUIf a single EU resident can see your site, GDPR can apply. Cookie consent, a real privacy policy, and not silently tracking by default are the visible signs of compliance.
HIPAAPrivacyUSIf your site collects, displays, or transmits protected health information, HIPAA applies. A privacy policy plus an explicit Notice of Privacy Practices and a clear consent flow are the minimum visible signals.
LGPDPrivacyOTHERBrazil's GDPR analogue. If you serve Brazilian residents, treat it like GDPR-lite: lawful basis, consent for cookies, a real privacy policy, and ANPD-shaped data subject rights.
Oregon Consumer Privacy ActPrivacyUSOregon's CCPA-shaped privacy law. Distinctive for explicitly covering nonprofits (after a one-year delay) and for a specific right to know which third parties received your data.
PIPEDAPrivacyCACanada's federal privacy law for commercial activity. Built around 10 fair information principles — meaningful consent, accountability, and the right to access your data.
POPIAPrivacyOTHERSouth Africa's GDPR analogue. Eight conditions for lawful processing, a real privacy notice, and an Information Officer registered with the Regulator.
Quebec Law 25PrivacyCAQuebec's modernised privacy law — stricter than PIPEDA and the rest of Canada. Mandatory privacy officer, granular consent, data portability, and a right to algorithmic transparency.
Texas Data Privacy and Security ActPrivacyUSTexas's CCPA-shaped privacy law. Notable for ditching the consumer-count threshold — almost any business doing business in Texas is in scope, except small businesses as defined by the SBA.
Utah Consumer Privacy ActPrivacyUSUtah's CCPA-shaped privacy law, the most business-friendly of the bunch. Higher revenue threshold, no UOOM requirement (yet), and a permanent 30-day cure period.
Virginia CDPAPrivacyUSVirginia's CCPA-shaped privacy law. Applies if you process the data of 100K+ Virginia residents (or 25K+ if you derive 50%+ revenue from selling data). No private right of action — Virginia AG enforces.