CCPA
Consumer Rights
CCPA requires disclosure of the consumer's right to request deletion of personal information.
RecommendationAdd clear instructions for how consumers can request deletion of their personal information.
CCPA
Opt-Out Rights
CCPA/CPRA requires clear disclosure of opt-out rights for sale/sharing of personal information.
RecommendationAdd an opt-out section to your privacy policy and implement a "Do Not Sell or Share My Personal Information" mechanism.
CCPA
Privacy Policy Completeness
The California Consumer Privacy Act (as amended by CPRA) requires specific disclosures including: categories of personal information collected in the preceding 12 months, categories of sources, business or commercial purposes for collection, categories of third parties with whom PI is shared, whether PI is sold or shared for cross-context behavioral advertising, and retention periods per category. The scanned policy excerpt cuts off before any CCPA-specific section is reached, and there is no visible 'Do Not Sell or Share My Personal Information' link on the homepage.
RecommendationVerify that the full privacy policy contains a dedicated CCPA/CPRA section with all required disclosures. Add a conspicuous 'Do Not Sell or Share My Personal Information' link in the website footer if personal information is sold or shared for cross-context behavioral advertising, or affirmatively state that Stripe does not sell/share PI.
CPA
Opt-Out Rights
Colorado Privacy Act requires disclosure of consumers' opt-out rights for targeted advertising and/or sale of personal data.
RecommendationAdd opt-out rights information to your privacy policy as required by CPA (Colorado).
CPA
Sensitive Data
Colorado Privacy Act requires explicit consent before processing sensitive personal data. No sensitive data disclosures found in the privacy policy.
RecommendationIf you process sensitive data (health, biometric, geolocation, race, religion, sexual orientation), add clear disclosures and obtain explicit consent.
CPA
Universal Opt-Out
Colorado Privacy Act requires recognition of universal opt-out mechanisms such as Global Privacy Control (GPC). No mention found in the privacy policy.
RecommendationImplement support for Global Privacy Control (GPC) signals and document this in your privacy policy.
CPA
Data Portability
Colorado Privacy Act grants consumers the right to obtain their personal data in a portable, readily usable format.
RecommendationAdd data portability rights information and provide a mechanism for consumers to export their data as required by CPA (Colorado).
CTDPA
Opt-Out Rights
Connecticut Data Privacy Act requires disclosure of consumers' opt-out rights for targeted advertising and/or sale of personal data.
RecommendationAdd opt-out rights information to your privacy policy as required by CTDPA (Connecticut).
CTDPA
Sensitive Data
Connecticut Data Privacy Act requires explicit consent before processing sensitive personal data. No sensitive data disclosures found in the privacy policy.
RecommendationIf you process sensitive data (health, biometric, geolocation, race, religion, sexual orientation), add clear disclosures and obtain explicit consent.
CTDPA
Universal Opt-Out
Connecticut Data Privacy Act requires recognition of universal opt-out mechanisms such as Global Privacy Control (GPC). No mention found in the privacy policy.
RecommendationImplement support for Global Privacy Control (GPC) signals and document this in your privacy policy.
CTDPA
Data Portability
Connecticut Data Privacy Act grants consumers the right to obtain their personal data in a portable, readily usable format.
RecommendationAdd data portability rights information and provide a mechanism for consumers to export their data as required by CTDPA (Connecticut).
DPDPA
Opt-Out Rights
Delaware Personal Data Privacy Act requires disclosure of consumers' opt-out rights for targeted advertising and/or sale of personal data.
RecommendationAdd opt-out rights information to your privacy policy as required by DPDPA (Delaware).
DPDPA
Sensitive Data
Delaware Personal Data Privacy Act requires explicit consent before processing sensitive personal data. No sensitive data disclosures found in the privacy policy.
RecommendationIf you process sensitive data (health, biometric, geolocation, race, religion, sexual orientation), add clear disclosures and obtain explicit consent.
DPDPA
Universal Opt-Out
Delaware Personal Data Privacy Act requires recognition of universal opt-out mechanisms such as Global Privacy Control (GPC). No mention found in the privacy policy.
RecommendationImplement support for Global Privacy Control (GPC) signals and document this in your privacy policy.
DPDPA
Data Portability
Delaware Personal Data Privacy Act grants consumers the right to obtain their personal data in a portable, readily usable format.
RecommendationAdd data portability rights information and provide a mechanism for consumers to export their data as required by DPDPA (Delaware).
GDPR
Cross-Border Transfer
While Stripe references a Data Transfer Addendum, Data Privacy Framework, and Sub-Processors List in its privacy center navigation, the privacy policy excerpt provided does not detail the specific transfer mechanisms (e.g., Standard Contractual Clauses, adequacy decisions, or Binding Corporate Rules) relied upon for transferring EU personal data to third countries. Under GDPR Articles 44-49, controllers must clearly communicate the safeguards in place for international transfers. The truncated policy text makes it impossible to confirm these disclosures are adequate.
RecommendationEnsure the main Privacy Policy body explicitly identifies all cross-border transfer mechanisms (SCCs, DPF certification, adequacy decisions) used, the categories of data transferred, and the countries involved. Supplement with a direct link to the full Data Transfer Addendum within the policy text itself, not just a sidebar navigation.
GDPR
Data Subject Rights
The privacy policy does not appear to mention the right of access (GDPR Art. 15).
RecommendationInclude information about how data subjects can request access to their personal data.
GDPR
Data Subject Rights
The privacy policy does not appear to mention the right to erasure/deletion, which is required under GDPR Art. 17.
RecommendationAdd a section covering the right to erasure, including how users can request deletion of their data and the timeframe for processing such requests.
GDPR
Accountability
The privacy policy does not mention a Data Protection Officer. If required to appoint one under GDPR Art. 37, their contact details must be published.
RecommendationIf a DPO is required (large-scale processing, public authority, or special category data), add their contact information to the privacy policy.
GDPR
Data Retention
GDPR Article 13(2)(a) requires controllers to inform data subjects about the period for which personal data will be stored, or the criteria used to determine that period. The privacy policy excerpt scanned does not contain any data retention schedules or criteria. While the full policy may address this beyond the scanned portion, its absence from early sections is a concern for transparency.
RecommendationInclude a clear data retention section in the privacy policy specifying retention periods (or criteria for determining them) for each category of personal data collected. Consider a summary table for ease of comprehension.
INCDPA
Opt-Out Rights
Indiana Consumer Data Protection Act requires disclosure of consumers' opt-out rights for targeted advertising and/or sale of personal data.
RecommendationAdd opt-out rights information to your privacy policy as required by INCDPA (Indiana).
INCDPA
Data Portability
Indiana Consumer Data Protection Act grants consumers the right to obtain their personal data in a portable, readily usable format.
RecommendationAdd data portability rights information and provide a mechanism for consumers to export their data as required by INCDPA (Indiana).
KCDPA
Opt-Out Rights
Kentucky Consumer Data Protection Act requires disclosure of consumers' opt-out rights for targeted advertising and/or sale of personal data.
RecommendationAdd opt-out rights information to your privacy policy as required by KCDPA (Kentucky).
KCDPA
Data Portability
Kentucky Consumer Data Protection Act grants consumers the right to obtain their personal data in a portable, readily usable format.
RecommendationAdd data portability rights information and provide a mechanism for consumers to export their data as required by KCDPA (Kentucky).
MCDPA
Opt-Out Rights
Montana Consumer Data Privacy Act requires disclosure of consumers' opt-out rights for targeted advertising and/or sale of personal data.
RecommendationAdd opt-out rights information to your privacy policy as required by MCDPA (Montana).
MCDPA
Universal Opt-Out
Montana Consumer Data Privacy Act requires recognition of universal opt-out mechanisms such as Global Privacy Control (GPC). No mention found in the privacy policy.
RecommendationImplement support for Global Privacy Control (GPC) signals and document this in your privacy policy.
MNCDPA
Opt-Out Rights
Minnesota Consumer Data Privacy Act requires disclosure of consumers' opt-out rights for targeted advertising and/or sale of personal data.
RecommendationAdd opt-out rights information to your privacy policy as required by MNCDPA (Minnesota).
MNCDPA
Data Minimization
The MNCDPA requires controllers to disclose whether they engage in profiling that produces legal or similarly significant effects, provide an opt-out mechanism for profiling, and adhere to strict data minimization principles. Given Stripe's fraud detection and risk assessment services (which likely constitute profiling), no disclosures about profiling activities or opt-out rights were visible in the scanned content.
RecommendationDisclose any profiling activities in the privacy policy, describe the logic involved and potential consequences, and provide a clear opt-out mechanism for profiling as required under MNCDPA. Ensure data collection is limited to what is reasonably necessary for disclosed purposes.
MNCDPA
Data Minimization
Minnesota Consumer Data Privacy Act has strict data minimization requirements — data collection must be limited to what is reasonably necessary for the disclosed purpose.
RecommendationDocument your data minimization practices in your privacy policy and ensure you only collect data necessary for your stated purposes.
MNCDPA
Sensitive Data
Minnesota Consumer Data Privacy Act requires explicit consent before processing sensitive personal data. No sensitive data disclosures found in the privacy policy.
RecommendationIf you process sensitive data (health, biometric, geolocation, race, religion, sexual orientation), add clear disclosures and obtain explicit consent.
MNCDPA
Universal Opt-Out
Minnesota Consumer Data Privacy Act requires recognition of universal opt-out mechanisms such as Global Privacy Control (GPC). No mention found in the privacy policy.
RecommendationImplement support for Global Privacy Control (GPC) signals and document this in your privacy policy.
MNCDPA
Data Portability
Minnesota Consumer Data Privacy Act grants consumers the right to obtain their personal data in a portable, readily usable format.
RecommendationAdd data portability rights information and provide a mechanism for consumers to export their data as required by MNCDPA (Minnesota).
MODPA
Opt-Out Rights
Maryland Online Data Privacy Act requires disclosure of consumers' opt-out rights for targeted advertising and/or sale of personal data.
RecommendationAdd opt-out rights information to your privacy policy as required by MODPA (Maryland).
MODPA
Data Minimization
Maryland Online Data Privacy Act has strict data minimization requirements — data collection must be limited to what is reasonably necessary for the disclosed purpose.
RecommendationDocument your data minimization practices in your privacy policy and ensure you only collect data necessary for your stated purposes.
MODPA
Sensitive Data
MODPA imposes strict requirements around the collection and processing of sensitive data (including precise geolocation, financial information, biometrics, and race/ethnicity). As a financial infrastructure provider, Stripe likely processes sensitive financial data. MODPA requires that controllers obtain consumer consent before processing sensitive data and prohibits the sale of sensitive data entirely. No specific MODPA disclosures or consent mechanisms were detected.
RecommendationAdd state-specific disclosures addressing MODPA's sensitive data provisions. Ensure affirmative consent mechanisms exist before processing any sensitive data categories as defined under Maryland law, and explicitly state that Stripe does not sell sensitive data.
MODPA
Sensitive Data
Maryland Online Data Privacy Act requires explicit consent before processing sensitive personal data. No sensitive data disclosures found in the privacy policy.
RecommendationIf you process sensitive data (health, biometric, geolocation, race, religion, sexual orientation), add clear disclosures and obtain explicit consent.
NHPA
Opt-Out Rights
New Hampshire Privacy Act (SB 255) requires disclosure of consumers' opt-out rights for targeted advertising and/or sale of personal data.
RecommendationAdd opt-out rights information to your privacy policy as required by NHPA (New Hampshire).
NHPA
Sensitive Data
New Hampshire Privacy Act (SB 255) requires explicit consent before processing sensitive personal data. No sensitive data disclosures found in the privacy policy.
RecommendationIf you process sensitive data (health, biometric, geolocation, race, religion, sexual orientation), add clear disclosures and obtain explicit consent.
NHPA
Universal Opt-Out
New Hampshire Privacy Act (SB 255) requires recognition of universal opt-out mechanisms such as Global Privacy Control (GPC). No mention found in the privacy policy.
RecommendationImplement support for Global Privacy Control (GPC) signals and document this in your privacy policy.
NHPA
Data Portability
New Hampshire Privacy Act (SB 255) grants consumers the right to obtain their personal data in a portable, readily usable format.
RecommendationAdd data portability rights information and provide a mechanism for consumers to export their data as required by NHPA (New Hampshire).
NJDPA
Opt-Out Rights
New Jersey Data Privacy Act (SB 332) requires disclosure of consumers' opt-out rights for targeted advertising and/or sale of personal data.
RecommendationAdd opt-out rights information to your privacy policy as required by NJDPA (New Jersey).
NJDPA
Sensitive Data
New Jersey Data Privacy Act (SB 332) requires explicit consent before processing sensitive personal data. No sensitive data disclosures found in the privacy policy.
RecommendationIf you process sensitive data (health, biometric, geolocation, race, religion, sexual orientation), add clear disclosures and obtain explicit consent.
NJDPA
Universal Opt-Out
The New Jersey Data Privacy Act requires controllers to recognize universal opt-out mechanisms (such as Global Privacy Control signals) for opting out of the sale of personal data, targeted advertising, and certain profiling. No evidence of GPC signal recognition or a universal opt-out disclosure was detected on the scanned pages.
RecommendationImplement technical recognition of Global Privacy Control (GPC) and other universal opt-out signals as required by NJDPA. Document this capability in the privacy policy and test that GPC signals are properly honored across all web properties.
NJDPA
Universal Opt-Out
New Jersey Data Privacy Act (SB 332) requires recognition of universal opt-out mechanisms such as Global Privacy Control (GPC). No mention found in the privacy policy.
RecommendationImplement support for Global Privacy Control (GPC) signals and document this in your privacy policy.
NJDPA
Data Portability
New Jersey Data Privacy Act (SB 332) grants consumers the right to obtain their personal data in a portable, readily usable format.
RecommendationAdd data portability rights information and provide a mechanism for consumers to export their data as required by NJDPA (New Jersey).
OCPA
Opt-Out Rights
Oregon Consumer Privacy Act requires disclosure of consumers' opt-out rights for targeted advertising and/or sale of personal data.
RecommendationAdd opt-out rights information to your privacy policy as required by OCPA (Oregon).
OCPA
Children's Privacy
The Oregon Consumer Privacy Act and several other state laws (CTDPA, MODPA, MNCDPA) impose heightened obligations regarding processing data of known children under 13 and teens 13-15, including requirements for consent before processing and prohibitions on targeted advertising to minors. The scanned pages show no age gate, age verification mechanism, or policy language addressing children's data.
RecommendationAdd explicit language to the privacy policy stating whether the services are directed at children, whether Stripe knowingly collects data from minors, and what safeguards are in place. If not directed at children, include a clear statement under applicable state and federal (COPPA) requirements.
OCPA
Data Minimization
Oregon Consumer Privacy Act has strict data minimization requirements — data collection must be limited to what is reasonably necessary for the disclosed purpose.
RecommendationDocument your data minimization practices in your privacy policy and ensure you only collect data necessary for your stated purposes.
OCPA
Sensitive Data
Oregon Consumer Privacy Act requires explicit consent before processing sensitive personal data. No sensitive data disclosures found in the privacy policy.
RecommendationIf you process sensitive data (health, biometric, geolocation, race, religion, sexual orientation), add clear disclosures and obtain explicit consent.
OCPA
Universal Opt-Out
Oregon Consumer Privacy Act requires recognition of universal opt-out mechanisms such as Global Privacy Control (GPC). No mention found in the privacy policy.
RecommendationImplement support for Global Privacy Control (GPC) signals and document this in your privacy policy.
OCPA
Data Portability
Oregon Consumer Privacy Act grants consumers the right to obtain their personal data in a portable, readily usable format.
RecommendationAdd data portability rights information and provide a mechanism for consumers to export their data as required by OCPA (Oregon).
VCDPA
Opt-Out Rights
Virginia Consumer Data Protection Act requires disclosure of consumers' opt-out rights for targeted advertising and/or sale of personal data.
RecommendationAdd opt-out rights information to your privacy policy as required by VCDPA (Virginia).
VCDPA
Sensitive Data
Virginia Consumer Data Protection Act requires explicit consent before processing sensitive personal data. No sensitive data disclosures found in the privacy policy.
RecommendationIf you process sensitive data (health, biometric, geolocation, race, religion, sexual orientation), add clear disclosures and obtain explicit consent.
VCDPA
Data Portability
Virginia Consumer Data Protection Act grants consumers the right to obtain their personal data in a portable, readily usable format.
RecommendationAdd data portability rights information and provide a mechanism for consumers to export their data as required by VCDPA (Virginia).