CCPA
Consumer Rights
CCPA requires disclosure of the consumer's right to request deletion of personal information.
RecommendationAdd clear instructions for how consumers can request deletion of their personal information.
CCPA
Opt-Out Rights
CCPA/CPRA requires clear disclosure of opt-out rights for sale/sharing of personal information.
RecommendationAdd an opt-out section to your privacy policy and implement a "Do Not Sell or Share My Personal Information" mechanism.
CCPA
Privacy Policy Completeness
The visible portion of the Privacy Policy does not include California-specific disclosures required by CCPA/CPRA, such as: categories of personal information collected and sold/shared in the preceding 12 months, the business or commercial purpose for collection, consumer rights (right to know, delete, correct, opt-out of sale/sharing), and the right to non-discrimination. The policy may contain these further down, but the structure and excerpt provided do not confirm their presence.
RecommendationEnsure a clearly labeled California-specific section (or standalone CCPA notice) is included in the Privacy Policy, covering all required disclosures under Cal. Civ. Code §1798.100-1798.199.100 including categories of PI, purposes, consumer rights, and opt-out of sale/sharing mechanisms.
CPA
Opt-Out Rights
Colorado Privacy Act requires disclosure of consumers' opt-out rights for targeted advertising and/or sale of personal data.
RecommendationAdd opt-out rights information to your privacy policy as required by CPA (Colorado).
CPA
Sensitive Data
Colorado Privacy Act requires explicit consent before processing sensitive personal data. No sensitive data disclosures found in the privacy policy.
RecommendationIf you process sensitive data (health, biometric, geolocation, race, religion, sexual orientation), add clear disclosures and obtain explicit consent.
CPA
Universal Opt-Out
Colorado Privacy Act requires recognition of universal opt-out mechanisms such as Global Privacy Control (GPC). No mention found in the privacy policy.
RecommendationImplement support for Global Privacy Control (GPC) signals and document this in your privacy policy.
CPA
Data Portability
Colorado Privacy Act grants consumers the right to obtain their personal data in a portable, readily usable format.
RecommendationAdd data portability rights information and provide a mechanism for consumers to export their data as required by CPA (Colorado).
CTDPA
Opt-Out Rights
Connecticut Data Privacy Act requires disclosure of consumers' opt-out rights for targeted advertising and/or sale of personal data.
RecommendationAdd opt-out rights information to your privacy policy as required by CTDPA (Connecticut).
CTDPA
Consent Mechanism
While a cookie banner was detected, the scan cannot confirm whether it provides granular opt-in/opt-out choices for non-essential cookies as required by CTDPA and other state laws. CTDPA requires opt-in consent for processing sensitive data and the ability to opt out of targeted advertising and sale of personal data. The cookie banner's compliance with these requirements cannot be verified from the scan.
RecommendationEnsure the cookie banner allows granular control over cookie categories (functional, analytics, advertising), provides a clear opt-out mechanism for sale and targeted advertising, and obtains opt-in consent where required for sensitive data processing under CTDPA.
CTDPA
Sensitive Data
Connecticut Data Privacy Act requires explicit consent before processing sensitive personal data. No sensitive data disclosures found in the privacy policy.
RecommendationIf you process sensitive data (health, biometric, geolocation, race, religion, sexual orientation), add clear disclosures and obtain explicit consent.
CTDPA
Universal Opt-Out
Connecticut Data Privacy Act requires recognition of universal opt-out mechanisms such as Global Privacy Control (GPC). No mention found in the privacy policy.
RecommendationImplement support for Global Privacy Control (GPC) signals and document this in your privacy policy.
CTDPA
Data Portability
Connecticut Data Privacy Act grants consumers the right to obtain their personal data in a portable, readily usable format.
RecommendationAdd data portability rights information and provide a mechanism for consumers to export their data as required by CTDPA (Connecticut).
DPDPA
Opt-Out Rights
Delaware Personal Data Privacy Act requires disclosure of consumers' opt-out rights for targeted advertising and/or sale of personal data.
RecommendationAdd opt-out rights information to your privacy policy as required by DPDPA (Delaware).
DPDPA
Sensitive Data
Delaware Personal Data Privacy Act requires explicit consent before processing sensitive personal data. No sensitive data disclosures found in the privacy policy.
RecommendationIf you process sensitive data (health, biometric, geolocation, race, religion, sexual orientation), add clear disclosures and obtain explicit consent.
DPDPA
Universal Opt-Out
Delaware Personal Data Privacy Act requires recognition of universal opt-out mechanisms such as Global Privacy Control (GPC). No mention found in the privacy policy.
RecommendationImplement support for Global Privacy Control (GPC) signals and document this in your privacy policy.
DPDPA
Data Portability
Delaware Personal Data Privacy Act grants consumers the right to obtain their personal data in a portable, readily usable format.
RecommendationAdd data portability rights information and provide a mechanism for consumers to export their data as required by DPDPA (Delaware).
GDPR
Cross-Border Transfer
While Stripe references a Data Transfer Addendum and Data Privacy Framework in its privacy page navigation, the actual privacy policy text excerpt does not describe the specific safeguards (e.g., Standard Contractual Clauses, adequacy decisions, or binding corporate rules) used for cross-border transfers of personal data outside the EEA. GDPR Articles 44-49 require transparent disclosure of the mechanisms relied upon for international transfers.
RecommendationEnsure the main body of the Privacy Policy explicitly identifies the legal mechanisms used for international data transfers (e.g., EU-US Data Privacy Framework certification, SCCs), the countries data is transferred to, and how data subjects can obtain copies of the relevant safeguards.
GDPR
Data Subject Rights
The privacy policy does not appear to mention the right of access (GDPR Art. 15).
RecommendationInclude information about how data subjects can request access to their personal data.
GDPR
Data Subject Rights
The privacy policy does not appear to mention the right to erasure/deletion, which is required under GDPR Art. 17.
RecommendationAdd a section covering the right to erasure, including how users can request deletion of their data and the timeframe for processing such requests.
GDPR
Accountability
The privacy policy does not mention a Data Protection Officer. If required to appoint one under GDPR Art. 37, their contact details must be published.
RecommendationIf a DPO is required (large-scale processing, public authority, or special category data), add their contact information to the privacy policy.
GDPR
Data Retention
The privacy policy excerpt does not include any information about data retention periods or criteria used to determine retention periods. GDPR Article 13(2)(a) requires controllers to inform data subjects of the period for which personal data will be stored, or the criteria used to determine that period.
RecommendationAdd a dedicated data retention section specifying retention periods for each category of personal data, or clearly state the criteria used to determine how long data is retained. Include references to legal or regulatory obligations that may extend retention.
GDPR
Legal Basis
The policy excerpt mentions that legal bases are available in the Privacy Center rather than in the main Privacy Policy. While GDPR does not mandate a single document, the lack of legal basis information in the primary policy may reduce transparency. Article 13(1)(c) requires the legal basis to be communicated to data subjects at the time of collection.
RecommendationConsider including a summary of the legal bases for key processing activities directly in the main Privacy Policy, with links to the Privacy Center for additional detail, to maximize transparency and ease of access for data subjects.
INCDPA
Opt-Out Rights
Indiana Consumer Data Protection Act requires disclosure of consumers' opt-out rights for targeted advertising and/or sale of personal data.
RecommendationAdd opt-out rights information to your privacy policy as required by INCDPA (Indiana).
INCDPA
Data Portability
Indiana Consumer Data Protection Act grants consumers the right to obtain their personal data in a portable, readily usable format.
RecommendationAdd data portability rights information and provide a mechanism for consumers to export their data as required by INCDPA (Indiana).
KCDPA
Opt-Out Rights
Kentucky Consumer Data Protection Act requires disclosure of consumers' opt-out rights for targeted advertising and/or sale of personal data.
RecommendationAdd opt-out rights information to your privacy policy as required by KCDPA (Kentucky).
KCDPA
Data Portability
Kentucky Consumer Data Protection Act grants consumers the right to obtain their personal data in a portable, readily usable format.
RecommendationAdd data portability rights information and provide a mechanism for consumers to export their data as required by KCDPA (Kentucky).
MCDPA
Opt-Out Rights
Montana Consumer Data Privacy Act requires disclosure of consumers' opt-out rights for targeted advertising and/or sale of personal data.
RecommendationAdd opt-out rights information to your privacy policy as required by MCDPA (Montana).
MCDPA
Universal Opt-Out
Montana Consumer Data Privacy Act requires recognition of universal opt-out mechanisms such as Global Privacy Control (GPC). No mention found in the privacy policy.
RecommendationImplement support for Global Privacy Control (GPC) signals and document this in your privacy policy.
MNCDPA
Opt-Out Rights
Minnesota Consumer Data Privacy Act requires disclosure of consumers' opt-out rights for targeted advertising and/or sale of personal data.
RecommendationAdd opt-out rights information to your privacy policy as required by MNCDPA (Minnesota).
MNCDPA
Data Minimization
Minnesota Consumer Data Privacy Act has strict data minimization requirements — data collection must be limited to what is reasonably necessary for the disclosed purpose.
RecommendationDocument your data minimization practices in your privacy policy and ensure you only collect data necessary for your stated purposes.
MNCDPA
Sensitive Data
Minnesota Consumer Data Privacy Act requires explicit consent before processing sensitive personal data. No sensitive data disclosures found in the privacy policy.
RecommendationIf you process sensitive data (health, biometric, geolocation, race, religion, sexual orientation), add clear disclosures and obtain explicit consent.
MNCDPA
Universal Opt-Out
Minnesota Consumer Data Privacy Act requires recognition of universal opt-out mechanisms such as Global Privacy Control (GPC). No mention found in the privacy policy.
RecommendationImplement support for Global Privacy Control (GPC) signals and document this in your privacy policy.
MNCDPA
Data Portability
Minnesota Consumer Data Privacy Act grants consumers the right to obtain their personal data in a portable, readily usable format.
RecommendationAdd data portability rights information and provide a mechanism for consumers to export their data as required by MNCDPA (Minnesota).
MODPA
Children's Privacy
The Maryland Online Data Privacy Act imposes heightened requirements around minors' data, including prohibitions on the sale of data of consumers under 18 and requirements for data protection assessments for processing children's data. The visible privacy policy text contains no mention of children's data practices, age gates, or COPPA/children's privacy protections.
RecommendationAdd explicit disclosures regarding whether the service is directed at or collects data from minors, what age verification mechanisms are in place, and how data from minors (especially those under 13 and under 18) is handled. Ensure compliance with Maryland's prohibition on sale of minors' data.
MODPA
Opt-Out Rights
Maryland Online Data Privacy Act requires disclosure of consumers' opt-out rights for targeted advertising and/or sale of personal data.
RecommendationAdd opt-out rights information to your privacy policy as required by MODPA (Maryland).
MODPA
Data Minimization
Maryland Online Data Privacy Act has strict data minimization requirements — data collection must be limited to what is reasonably necessary for the disclosed purpose.
RecommendationDocument your data minimization practices in your privacy policy and ensure you only collect data necessary for your stated purposes.
MODPA
Sensitive Data
Maryland Online Data Privacy Act requires explicit consent before processing sensitive personal data. No sensitive data disclosures found in the privacy policy.
RecommendationIf you process sensitive data (health, biometric, geolocation, race, religion, sexual orientation), add clear disclosures and obtain explicit consent.
NHPA
Opt-Out Rights
New Hampshire Privacy Act (SB 255) requires disclosure of consumers' opt-out rights for targeted advertising and/or sale of personal data.
RecommendationAdd opt-out rights information to your privacy policy as required by NHPA (New Hampshire).
NHPA
Sensitive Data
New Hampshire Privacy Act (SB 255) requires explicit consent before processing sensitive personal data. No sensitive data disclosures found in the privacy policy.
RecommendationIf you process sensitive data (health, biometric, geolocation, race, religion, sexual orientation), add clear disclosures and obtain explicit consent.
NHPA
Universal Opt-Out
New Hampshire Privacy Act (SB 255) requires recognition of universal opt-out mechanisms such as Global Privacy Control (GPC). No mention found in the privacy policy.
RecommendationImplement support for Global Privacy Control (GPC) signals and document this in your privacy policy.
NHPA
Data Portability
New Hampshire Privacy Act (SB 255) grants consumers the right to obtain their personal data in a portable, readily usable format.
RecommendationAdd data portability rights information and provide a mechanism for consumers to export their data as required by NHPA (New Hampshire).
NJDPA
Opt-Out Rights
New Jersey Data Privacy Act (SB 332) requires disclosure of consumers' opt-out rights for targeted advertising and/or sale of personal data.
RecommendationAdd opt-out rights information to your privacy policy as required by NJDPA (New Jersey).
NJDPA
Sensitive Data
New Jersey Data Privacy Act (SB 332) requires explicit consent before processing sensitive personal data. No sensitive data disclosures found in the privacy policy.
RecommendationIf you process sensitive data (health, biometric, geolocation, race, religion, sexual orientation), add clear disclosures and obtain explicit consent.
NJDPA
Universal Opt-Out
New Jersey Data Privacy Act (SB 332) requires recognition of universal opt-out mechanisms such as Global Privacy Control (GPC). No mention found in the privacy policy.
RecommendationImplement support for Global Privacy Control (GPC) signals and document this in your privacy policy.
NJDPA
Universal Opt-Out
The New Jersey Data Privacy Act requires controllers to recognize universal opt-out mechanisms (e.g., Global Privacy Control) for opt-out of sale and targeted advertising. The privacy policy excerpt does not reference support for universal opt-out signals such as GPC.
RecommendationAdd disclosure that the site recognizes and honors universal opt-out preference signals (e.g., Global Privacy Control) as required by NJDPA, and ensure technical implementation processes GPC headers to suppress sale and targeted advertising for signaling users.
NJDPA
Data Portability
New Jersey Data Privacy Act (SB 332) grants consumers the right to obtain their personal data in a portable, readily usable format.
RecommendationAdd data portability rights information and provide a mechanism for consumers to export their data as required by NJDPA (New Jersey).
OCPA
Opt-Out Rights
Oregon Consumer Privacy Act requires disclosure of consumers' opt-out rights for targeted advertising and/or sale of personal data.
RecommendationAdd opt-out rights information to your privacy policy as required by OCPA (Oregon).
OCPA
Data Minimization
Oregon Consumer Privacy Act has strict data minimization requirements — data collection must be limited to what is reasonably necessary for the disclosed purpose.
RecommendationDocument your data minimization practices in your privacy policy and ensure you only collect data necessary for your stated purposes.
OCPA
Privacy Policy Completeness
The Oregon Consumer Privacy Act requires controllers to provide a mechanism for consumers to appeal a refusal to act on a data subject request. The visible privacy policy text does not describe any appeal process or how consumers can escalate denied requests.
RecommendationInclude a clearly described appeal process that consumers can follow if their privacy rights request is denied. Specify the timeline for responding to appeals and provide contact details for the Oregon Attorney General as a further escalation path, as required by OCPA.
OCPA
Sensitive Data
Oregon Consumer Privacy Act requires explicit consent before processing sensitive personal data. No sensitive data disclosures found in the privacy policy.
RecommendationIf you process sensitive data (health, biometric, geolocation, race, religion, sexual orientation), add clear disclosures and obtain explicit consent.
OCPA
Universal Opt-Out
Oregon Consumer Privacy Act requires recognition of universal opt-out mechanisms such as Global Privacy Control (GPC). No mention found in the privacy policy.
RecommendationImplement support for Global Privacy Control (GPC) signals and document this in your privacy policy.
OCPA
Data Portability
Oregon Consumer Privacy Act grants consumers the right to obtain their personal data in a portable, readily usable format.
RecommendationAdd data portability rights information and provide a mechanism for consumers to export their data as required by OCPA (Oregon).
VCDPA
Opt-Out Rights
Virginia Consumer Data Protection Act requires disclosure of consumers' opt-out rights for targeted advertising and/or sale of personal data.
RecommendationAdd opt-out rights information to your privacy policy as required by VCDPA (Virginia).
VCDPA
Sensitive Data
Virginia Consumer Data Protection Act requires explicit consent before processing sensitive personal data. No sensitive data disclosures found in the privacy policy.
RecommendationIf you process sensitive data (health, biometric, geolocation, race, religion, sexual orientation), add clear disclosures and obtain explicit consent.
VCDPA
Data Portability
Virginia Consumer Data Protection Act grants consumers the right to obtain their personal data in a portable, readily usable format.
RecommendationAdd data portability rights information and provide a mechanism for consumers to export their data as required by VCDPA (Virginia).