Do I Need a Privacy Policy?
If you are building a product that touches user data, the answer is a resounding yes. For startup founders, having a compliant privacy policy from day one is one of the most consequential legal decisions you will make, and failing to get it right early can cost far more than getting it right at the outset.
The Legal Landscape
Privacy laws in the United States operate across multiple overlapping frameworks. At the federal level, the Federal Trade Commission Act prohibits unfair or deceptive trade practices, which include making representations about your data practices that you do not follow. Sector-specific statutes impose additional obligations depending on your industry: Health Insurance Portability and Accountability Act (“HIPAA”) governs health data, Children's Online Privacy Protection Act ("COPPA") applies to products directed at children under 13, and Family Educational Rights and Privacy Act (“FERPA”) covers student education records.
Despite the absence of a comprehensive privacy policy at the federal level, the legal landscape has expanded dramatically at the state level. As of 2026, 20 states have enacted comprehensive consumer privacy laws. The California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”), remains the most comprehensive, and it is the only state law that applies equally to consumers, employees, and business-to-business contacts. States including Colorado, Virginia, Texas, Oregon, Minnesota, and New Jersey have each enacted their own frameworks, each with distinct applicability thresholds, consumer rights provisions, and enforcement mechanisms.
In 2026, where nearly every company has an online presence, there is no longer a meaningful distinction between companies that are subject to privacy laws and companies that are not. In practice, nearly every company is subject to multiple privacy frameworks simultaneously. A privacy policy is the primary mechanism through which you satisfy the disclosure obligations those frameworks impose.
What Happens When Your Privacy Policy Doesn’t Match Your Practice One: The BetterHelp Case
In March 2023, the Federal Trade Commission (“FTC”) took action against BetterHelp, Inc. (“Betterhelp”) an online mental health counseling platform. In re BetterHelp, Inc., FTC Docket No. C-4796 (2023). The FTC charged that BetterHelp had shared users' sensitive health information, including email addresses, IP addresses, and answers to mental health intake questionnaires, with Facebook, Snapchat, Criteo, and Pinterest for advertising purposes. The company had explicitly promised users, at multiple points in its sign-up process, that their personal health information would stay private and would not be disclosed for advertising purposes. The FTC found those representations to be deceptive under Section 5 of the FTC Act. The resulting settlement required BetterHelp to pay $7.8 million in consumer refunds and banned the company from sharing consumer health data for advertising purposes going forward. See FTC BetterHelp Press Release.
The BetterHelp case illustrates two failure modes that are common among startups. The first is having a privacy policy that does not accurately describe actual data practices. The second is treating the privacy policy as a disclosure exercise rather than a binding commitment. A policy that says one thing while the business does another is not just non-compliant. It is worse than having no policy at all, because it transforms a regulatory omission into a deceptive trade practice.
What a Privacy Policy Should Cover
A compliant privacy policy should, at minimum, identify what categories of personal information you collect, explain the purposes for which that information is used, disclose whether you share it with third parties and under what circumstances, and describe the rights users have over their data. If you serve California residents, the CCPA and CPRA require additional specificity around data categories, consumer rights to access and deletion, and opt-out rights for the sale or sharing of personal information.
As the state privacy law landscape continues to evolve, the policy also needs to be updated when your practices change. Founders who draft a privacy policy at incorporation and never revisit it often find themselves out of compliance the moment they integrate a new tool or expand into a new market. The compliance bar is rising, and it is rising quickly.
If You Need A Privacy Policy; Reach Out to Stealth Legal
Stealth Legal is a boutique tech-focused law firm that works with startups and technology companies navigating privacy compliance, data governance, and regulatory risk. Whether you are launching a new product, revisiting existing policies, or building out a data infrastructure that needs legal review, our team can help you establish a foundation that scales with your business.
If you have questions about your privacy obligations, contact us at pavin@stealth.legal
This post is for informational purposes only and does not constitute legal advice. For advice specific to your situation, please consult a licensed attorney.
