CCPA
Consumer Rights
CCPA requires disclosure of the consumer's right to request deletion of personal information.
RecommendationAdd clear instructions for how consumers can request deletion of their personal information.
CCPA
Opt-Out Rights
CCPA/CPRA requires clear disclosure of opt-out rights for sale/sharing of personal information.
RecommendationAdd an opt-out section to your privacy policy and implement a "Do Not Sell or Share My Personal Information" mechanism.
CCPA
Privacy Policy Completeness
The visible portion of Stripe's privacy policy uses GDPR-oriented terminology ('data controller', 'data processor', 'data subject'). CCPA/CPRA requires specific disclosures including: categories of personal information collected and sold/shared in the preceding 12 months, the business or commercial purpose for collection, consumers' right to opt-out of sale/sharing, right to limit use of sensitive personal information, and retention periods per category of data. These California-specific disclosures are not visible in the excerpt provided, though they may exist further in the policy.
RecommendationEnsure the privacy policy includes a clearly labeled California-specific section (or separate California Privacy Notice) that enumerates all CCPA/CPRA required disclosures including categories of PI collected/sold/shared, specific retention periods per category, opt-out of sale/sharing rights, and the right to limit sensitive PI use.
GDPR
Data Subject Rights
The privacy policy does not appear to mention the right of access (GDPR Art. 15).
RecommendationInclude information about how data subjects can request access to their personal data.
GDPR
Data Subject Rights
The privacy policy does not appear to mention the right to erasure/deletion, which is required under GDPR Art. 17.
RecommendationAdd a section covering the right to erasure, including how users can request deletion of their data and the timeframe for processing such requests.
GDPR
Accountability
The privacy policy does not mention a Data Protection Officer. If required to appoint one under GDPR Art. 37, their contact details must be published.
RecommendationIf a DPO is required (large-scale processing, public authority, or special category data), add their contact information to the privacy policy.
GDPR
Cross-Border Transfer
Stripe references a 'Data Transfer Addendum' and 'Data Privacy Framework' in their navigation, indicating cross-border transfers occur. However, the privacy policy excerpt does not explicitly detail the specific transfer mechanisms (e.g., Standard Contractual Clauses, adequacy decisions, or binding corporate rules) relied upon for EU-to-third-country data transfers. While these may be addressed in linked documents, GDPR Article 13(1)(f) requires informing data subjects about the existence of cross-border transfers and the safeguards applied directly in the privacy policy or with clear, accessible references.
RecommendationEnsure the main privacy policy body explicitly states which transfer mechanisms are relied upon (SCCs, Data Privacy Framework, BCRs), names the third countries involved, and provides direct links to the relevant safeguards documentation rather than relying solely on sidebar navigation to separate documents.
GDPR
Data Retention
The privacy policy excerpt does not include any specific data retention periods or criteria used to determine retention periods. GDPR Article 13(2)(a) requires controllers to inform data subjects of the period for which personal data will be stored, or if that is not possible, the criteria used to determine that period. For a company processing significant volumes of financial and personal data across multiple services, this is a material omission if not addressed elsewhere in the full policy.
RecommendationInclude a dedicated data retention section in the privacy policy specifying retention periods for each category of personal data processed, or at minimum the criteria used to determine retention periods (e.g., legal obligations, contractual necessity, legitimate interest duration). Consider a retention schedule table for clarity.
CTDPA
Consent Mechanism
Connecticut's CTDPA requires opt-in consent for processing sensitive data and provides consumers the right to opt out of targeted advertising, sale of personal data, and profiling. While a cookie banner was detected, it is unclear whether it provides sufficient granularity to allow Connecticut residents to exercise these specific opt-out rights, particularly distinguishing between targeted advertising cookies and other non-essential cookies as required by the law effective July 2023.
RecommendationEnsure the cookie consent mechanism provides granular options that allow Connecticut consumers to specifically opt out of targeted advertising and sale of personal data separately. Implement a universal opt-out mechanism (such as Global Privacy Control) recognition as required by CTDPA.
TDPSA
Children's Privacy
The Texas Data Privacy and Security Act includes specific provisions prohibiting the sale of personal data of known children aged 13-17 without consent and requires compliance with COPPA for children under 13. Stripe processes financial data that may involve minors (e.g., through consumer-facing services). The visible privacy policy excerpt contains no reference to children's data processing, age verification, or parental consent mechanisms.
RecommendationAdd a clearly labeled children's privacy section to the privacy policy addressing: whether services are directed at children, how the company handles data of known minors (under 13 and 13-17 age brackets), COPPA compliance measures, and parental consent mechanisms. If services are not directed at children, include an explicit statement to that effect.
CPA
Data Protection Assessment
The Colorado Privacy Act requires controllers to conduct and document data protection assessments for processing activities that present a heightened risk of harm to consumers, including targeted advertising, sale of personal data, and processing of sensitive data. As a major financial infrastructure provider, Stripe likely engages in processing that would trigger this requirement. The policy excerpt does not reference conducting such assessments.
RecommendationWhile DPAs are not typically disclosed in privacy policies, consider adding a statement affirming that Stripe conducts data protection assessments for high-risk processing activities as required by applicable law. Ensure internal documentation of these assessments is maintained and available for regulatory review.
VCDPA
Privacy Rights
The VCDPA grants Virginia consumers specific rights including the right to access, correct, delete, obtain a copy of personal data in a portable format, and opt out of targeted advertising, sale, and profiling. The privacy policy excerpt mentions 'rights and choices as a data subject' and 'the right to object to certain uses' but does not enumerate the full set of VCDPA-specific rights in the visible portion. The reference to 'Privacy Center' for more details may address this but should not replace clear disclosure in the main policy.
RecommendationEnsure the privacy policy explicitly lists all consumer rights under VCDPA (and other applicable state laws) including access, correction, deletion, portability, and specific opt-out rights. Include clear instructions for how to exercise each right and the appeal process for denied requests, either in the main policy or via clearly accessible links.