CCPA
Consumer Rights
CCPA requires disclosure of the consumer's right to request deletion of personal information.
RecommendationAdd clear instructions for how consumers can request deletion of their personal information.
CCPA
Opt-Out Rights
CCPA/CPRA requires clear disclosure of opt-out rights for sale/sharing of personal information.
RecommendationAdd an opt-out section to your privacy policy and implement a "Do Not Sell or Share My Personal Information" mechanism.
CCPA
Privacy Policy Completeness
The CCPA/CPRA requires privacy policies to include specific disclosures such as: categories of personal information collected and sold/shared in the preceding 12 months, the business or commercial purpose for collection, categories of third parties to whom data is disclosed, and a clear 'Do Not Sell or Share My Personal Information' link. The scanned privacy policy excerpt is heavily truncated (mostly HTML/JS scaffolding and introductory text) and does not confirm the presence of these mandatory CCPA disclosures, including the required 12-month lookback tables and right-to-know specifics.
RecommendationVerify that the full privacy policy contains all CCPA/CPRA-mandated sections including: (1) categories of PI collected, sold, and shared in the past 12 months, (2) retention periods per category, (3) a conspicuous 'Do Not Sell or Share My Personal Information' link, (4) disclosure of financial incentive programs if any, and (5) specific mention of the right to limit use of sensitive personal information.
CPA
Opt-Out Rights
Colorado Privacy Act requires disclosure of consumers' opt-out rights for targeted advertising and/or sale of personal data.
RecommendationAdd opt-out rights information to your privacy policy as required by CPA (Colorado).
CPA
Sensitive Data
Colorado Privacy Act requires explicit consent before processing sensitive personal data. No sensitive data disclosures found in the privacy policy.
RecommendationIf you process sensitive data (health, biometric, geolocation, race, religion, sexual orientation), add clear disclosures and obtain explicit consent.
CPA
Universal Opt-Out
Colorado Privacy Act requires recognition of universal opt-out mechanisms such as Global Privacy Control (GPC). No mention found in the privacy policy.
RecommendationImplement support for Global Privacy Control (GPC) signals and document this in your privacy policy.
CPA
Data Portability
Colorado Privacy Act grants consumers the right to obtain their personal data in a portable, readily usable format.
RecommendationAdd data portability rights information and provide a mechanism for consumers to export their data as required by CPA (Colorado).
CTDPA
Opt-Out Rights
Connecticut Data Privacy Act requires disclosure of consumers' opt-out rights for targeted advertising and/or sale of personal data.
RecommendationAdd opt-out rights information to your privacy policy as required by CTDPA (Connecticut).
CTDPA
Sensitive Data
Connecticut Data Privacy Act requires explicit consent before processing sensitive personal data. No sensitive data disclosures found in the privacy policy.
RecommendationIf you process sensitive data (health, biometric, geolocation, race, religion, sexual orientation), add clear disclosures and obtain explicit consent.
CTDPA
Universal Opt-Out
Connecticut Data Privacy Act requires recognition of universal opt-out mechanisms such as Global Privacy Control (GPC). No mention found in the privacy policy.
RecommendationImplement support for Global Privacy Control (GPC) signals and document this in your privacy policy.
CTDPA
Data Portability
Connecticut Data Privacy Act grants consumers the right to obtain their personal data in a portable, readily usable format.
RecommendationAdd data portability rights information and provide a mechanism for consumers to export their data as required by CTDPA (Connecticut).
DPDPA
Opt-Out Rights
Delaware Personal Data Privacy Act requires disclosure of consumers' opt-out rights for targeted advertising and/or sale of personal data.
RecommendationAdd opt-out rights information to your privacy policy as required by DPDPA (Delaware).
DPDPA
Sensitive Data
Delaware Personal Data Privacy Act requires explicit consent before processing sensitive personal data. No sensitive data disclosures found in the privacy policy.
RecommendationIf you process sensitive data (health, biometric, geolocation, race, religion, sexual orientation), add clear disclosures and obtain explicit consent.
DPDPA
Universal Opt-Out
Delaware Personal Data Privacy Act requires recognition of universal opt-out mechanisms such as Global Privacy Control (GPC). No mention found in the privacy policy.
RecommendationImplement support for Global Privacy Control (GPC) signals and document this in your privacy policy.
DPDPA
Data Portability
Delaware Personal Data Privacy Act grants consumers the right to obtain their personal data in a portable, readily usable format.
RecommendationAdd data portability rights information and provide a mechanism for consumers to export their data as required by DPDPA (Delaware).
GDPR
Cross-Border Transfer
While Stripe references a Data Transfer Addendum and Data Privacy Framework in their privacy policy navigation, the scanned privacy policy excerpt does not contain explicit detail on the specific transfer mechanisms (e.g., Standard Contractual Clauses, adequacy decisions, or Binding Corporate Rules) used to protect personal data transferred outside the EEA. Under GDPR Articles 44-49, controllers must clearly inform data subjects of the safeguards in place for international transfers. The policy text captured is truncated and does not surface these details directly within the main privacy policy body.
RecommendationEnsure the main Privacy Policy text explicitly identifies the legal mechanisms relied upon for cross-border data transfers (e.g., EU-U.S. Data Privacy Framework, SCCs), the categories of recipients in third countries, and links to copies of the relevant safeguards. This information should be readily accessible without requiring users to navigate to separate sub-documents.
GDPR
Data Subject Rights
The privacy policy does not appear to mention the right of access (GDPR Art. 15).
RecommendationInclude information about how data subjects can request access to their personal data.
GDPR
Data Subject Rights
The privacy policy does not appear to mention the right to erasure/deletion, which is required under GDPR Art. 17.
RecommendationAdd a section covering the right to erasure, including how users can request deletion of their data and the timeframe for processing such requests.
GDPR
Accountability
The privacy policy does not mention a Data Protection Officer. If required to appoint one under GDPR Art. 37, their contact details must be published.
RecommendationIf a DPO is required (large-scale processing, public authority, or special category data), add their contact information to the privacy policy.
GDPR
Data Retention
The scanned portion of Stripe's privacy policy does not include any specific data retention periods or criteria used to determine retention. GDPR Article 13(2)(a) requires controllers to inform data subjects of the period for which personal data will be stored, or the criteria used to determine that period. The policy text ends before any such section is reached, and no retention schedule is evident in the excerpt.
RecommendationInclude a dedicated data retention section in the privacy policy that specifies retention periods for each category of personal data collected, or clearly articulates the criteria used to determine retention (e.g., duration of business relationship plus legal obligation periods). This should be easily locatable within the main policy document.
INCDPA
Opt-Out Rights
Indiana Consumer Data Protection Act requires disclosure of consumers' opt-out rights for targeted advertising and/or sale of personal data.
RecommendationAdd opt-out rights information to your privacy policy as required by INCDPA (Indiana).
INCDPA
Data Portability
Indiana Consumer Data Protection Act grants consumers the right to obtain their personal data in a portable, readily usable format.
RecommendationAdd data portability rights information and provide a mechanism for consumers to export their data as required by INCDPA (Indiana).
KCDPA
Opt-Out Rights
Kentucky Consumer Data Protection Act requires disclosure of consumers' opt-out rights for targeted advertising and/or sale of personal data.
RecommendationAdd opt-out rights information to your privacy policy as required by KCDPA (Kentucky).
KCDPA
Data Portability
Kentucky Consumer Data Protection Act grants consumers the right to obtain their personal data in a portable, readily usable format.
RecommendationAdd data portability rights information and provide a mechanism for consumers to export their data as required by KCDPA (Kentucky).
MCDPA
Opt-Out Rights
Montana Consumer Data Privacy Act requires disclosure of consumers' opt-out rights for targeted advertising and/or sale of personal data.
RecommendationAdd opt-out rights information to your privacy policy as required by MCDPA (Montana).
MCDPA
Universal Opt-Out
Montana Consumer Data Privacy Act requires recognition of universal opt-out mechanisms such as Global Privacy Control (GPC). No mention found in the privacy policy.
RecommendationImplement support for Global Privacy Control (GPC) signals and document this in your privacy policy.
MNCDPA
Opt-Out Rights
Minnesota Consumer Data Privacy Act requires disclosure of consumers' opt-out rights for targeted advertising and/or sale of personal data.
RecommendationAdd opt-out rights information to your privacy policy as required by MNCDPA (Minnesota).
MNCDPA
Data Minimization
Minnesota Consumer Data Privacy Act has strict data minimization requirements — data collection must be limited to what is reasonably necessary for the disclosed purpose.
RecommendationDocument your data minimization practices in your privacy policy and ensure you only collect data necessary for your stated purposes.
MNCDPA
Sensitive Data
Minnesota Consumer Data Privacy Act requires explicit consent before processing sensitive personal data. No sensitive data disclosures found in the privacy policy.
RecommendationIf you process sensitive data (health, biometric, geolocation, race, religion, sexual orientation), add clear disclosures and obtain explicit consent.
MNCDPA
Universal Opt-Out
Minnesota Consumer Data Privacy Act requires recognition of universal opt-out mechanisms such as Global Privacy Control (GPC). No mention found in the privacy policy.
RecommendationImplement support for Global Privacy Control (GPC) signals and document this in your privacy policy.
MNCDPA
Data Portability
Minnesota Consumer Data Privacy Act grants consumers the right to obtain their personal data in a portable, readily usable format.
RecommendationAdd data portability rights information and provide a mechanism for consumers to export their data as required by MNCDPA (Minnesota).
MNCDPA
Data Protection Assessment
The Minnesota Consumer Data Privacy Act, along with several other state laws (CPA, CTDPA, OCPA, MODPA), requires controllers to conduct and document data protection assessments for processing activities that present a heightened risk of harm, including targeted advertising, sale of personal data, and processing of sensitive data. The privacy policy excerpt does not reference the performance of such assessments. While these assessments are typically internal documents, transparency about conducting them builds trust and demonstrates compliance.
RecommendationConsider adding a statement in the privacy policy acknowledging that Stripe conducts data protection assessments for high-risk processing activities as required by applicable state privacy laws. Maintain internal documentation of these assessments and ensure they are updated for each new state law that takes effect.
MODPA
Opt-Out Rights
Maryland Online Data Privacy Act requires disclosure of consumers' opt-out rights for targeted advertising and/or sale of personal data.
RecommendationAdd opt-out rights information to your privacy policy as required by MODPA (Maryland).
MODPA
Children's Privacy
The Maryland Online Data Privacy Act includes heightened protections for minors, including restrictions on processing data of individuals under 18 for targeted advertising and requirements for data protection assessments involving minors' data. The scanned privacy policy excerpt does not contain any disclosures about age verification, children's data handling, or COPPA/minor-specific protections. Given Stripe's broad internet presence and potential interaction with users under 18, this is a notable gap.
RecommendationAdd a clearly labeled section addressing children's and minors' privacy, specifying: (1) minimum age requirements for using services, (2) whether data from minors under 18 is knowingly collected, (3) parental consent mechanisms if applicable, and (4) compliance with COPPA for users under 13 and state-specific minor protections under MODPA and similar laws.
MODPA
Data Minimization
Maryland Online Data Privacy Act has strict data minimization requirements — data collection must be limited to what is reasonably necessary for the disclosed purpose.
RecommendationDocument your data minimization practices in your privacy policy and ensure you only collect data necessary for your stated purposes.
MODPA
Sensitive Data
Maryland Online Data Privacy Act requires explicit consent before processing sensitive personal data. No sensitive data disclosures found in the privacy policy.
RecommendationIf you process sensitive data (health, biometric, geolocation, race, religion, sexual orientation), add clear disclosures and obtain explicit consent.
NHPA
Opt-Out Rights
New Hampshire Privacy Act (SB 255) requires disclosure of consumers' opt-out rights for targeted advertising and/or sale of personal data.
RecommendationAdd opt-out rights information to your privacy policy as required by NHPA (New Hampshire).
NHPA
Sensitive Data
New Hampshire Privacy Act (SB 255) requires explicit consent before processing sensitive personal data. No sensitive data disclosures found in the privacy policy.
RecommendationIf you process sensitive data (health, biometric, geolocation, race, religion, sexual orientation), add clear disclosures and obtain explicit consent.
NHPA
Universal Opt-Out
New Hampshire Privacy Act (SB 255) requires recognition of universal opt-out mechanisms such as Global Privacy Control (GPC). No mention found in the privacy policy.
RecommendationImplement support for Global Privacy Control (GPC) signals and document this in your privacy policy.
NHPA
Data Portability
New Hampshire Privacy Act (SB 255) grants consumers the right to obtain their personal data in a portable, readily usable format.
RecommendationAdd data portability rights information and provide a mechanism for consumers to export their data as required by NHPA (New Hampshire).
NJDPA
Opt-Out Rights
New Jersey Data Privacy Act (SB 332) requires disclosure of consumers' opt-out rights for targeted advertising and/or sale of personal data.
RecommendationAdd opt-out rights information to your privacy policy as required by NJDPA (New Jersey).
NJDPA
Sensitive Data
The New Jersey Data Privacy Act requires opt-in consent before processing sensitive personal data, which includes financial data. As a financial infrastructure provider, Stripe processes significant amounts of financial and potentially sensitive personal data. The scanned policy excerpt does not confirm whether Stripe obtains explicit opt-in consent for sensitive data processing or clearly delineates categories of sensitive data it handles under NJDPA definitions.
RecommendationClearly identify in the privacy policy what categories of sensitive personal data are processed under NJDPA definitions (financial data, geolocation, etc.), the legal basis and consent mechanism for each, and ensure opt-in consent is obtained prior to processing sensitive data for New Jersey consumers.
NJDPA
Sensitive Data
New Jersey Data Privacy Act (SB 332) requires explicit consent before processing sensitive personal data. No sensitive data disclosures found in the privacy policy.
RecommendationIf you process sensitive data (health, biometric, geolocation, race, religion, sexual orientation), add clear disclosures and obtain explicit consent.
NJDPA
Universal Opt-Out
New Jersey Data Privacy Act (SB 332) requires recognition of universal opt-out mechanisms such as Global Privacy Control (GPC). No mention found in the privacy policy.
RecommendationImplement support for Global Privacy Control (GPC) signals and document this in your privacy policy.
NJDPA
Data Portability
New Jersey Data Privacy Act (SB 332) grants consumers the right to obtain their personal data in a portable, readily usable format.
RecommendationAdd data portability rights information and provide a mechanism for consumers to export their data as required by NJDPA (New Jersey).
OCPA
Opt-Out Rights
Oregon Consumer Privacy Act requires disclosure of consumers' opt-out rights for targeted advertising and/or sale of personal data.
RecommendationAdd opt-out rights information to your privacy policy as required by OCPA (Oregon).
OCPA
Consent Mechanism
The Oregon Consumer Privacy Act requires controllers to honor opt-out requests for targeted advertising, sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects. The scan detected a cookie banner but no specific opt-out mechanism for profiling or sale was confirmed in the policy excerpt. OCPA also requires recognition of universal opt-out signals, which cannot be verified from the scan.
RecommendationImplement and clearly disclose mechanisms for Oregon consumers to opt out of targeted advertising, sale of personal data, and profiling. Ensure the site honors Global Privacy Control (GPC) and other universal opt-out signals as required by OCPA. Document these mechanisms prominently in the privacy policy.
OCPA
Data Minimization
Oregon Consumer Privacy Act has strict data minimization requirements — data collection must be limited to what is reasonably necessary for the disclosed purpose.
RecommendationDocument your data minimization practices in your privacy policy and ensure you only collect data necessary for your stated purposes.
OCPA
Sensitive Data
Oregon Consumer Privacy Act requires explicit consent before processing sensitive personal data. No sensitive data disclosures found in the privacy policy.
RecommendationIf you process sensitive data (health, biometric, geolocation, race, religion, sexual orientation), add clear disclosures and obtain explicit consent.
OCPA
Universal Opt-Out
Oregon Consumer Privacy Act requires recognition of universal opt-out mechanisms such as Global Privacy Control (GPC). No mention found in the privacy policy.
RecommendationImplement support for Global Privacy Control (GPC) signals and document this in your privacy policy.
OCPA
Data Portability
Oregon Consumer Privacy Act grants consumers the right to obtain their personal data in a portable, readily usable format.
RecommendationAdd data portability rights information and provide a mechanism for consumers to export their data as required by OCPA (Oregon).
VCDPA
Opt-Out Rights
Virginia Consumer Data Protection Act requires disclosure of consumers' opt-out rights for targeted advertising and/or sale of personal data.
RecommendationAdd opt-out rights information to your privacy policy as required by VCDPA (Virginia).
VCDPA
Sensitive Data
Virginia Consumer Data Protection Act requires explicit consent before processing sensitive personal data. No sensitive data disclosures found in the privacy policy.
RecommendationIf you process sensitive data (health, biometric, geolocation, race, religion, sexual orientation), add clear disclosures and obtain explicit consent.
VCDPA
Data Portability
Virginia Consumer Data Protection Act grants consumers the right to obtain their personal data in a portable, readily usable format.
RecommendationAdd data portability rights information and provide a mechanism for consumers to export their data as required by VCDPA (Virginia).