CCPA
Consumer Rights
CCPA requires disclosure of the consumer's right to request deletion of personal information.
RecommendationAdd clear instructions for how consumers can request deletion of their personal information.
CCPA
Opt-Out Rights
CCPA/CPRA requires clear disclosure of opt-out rights for sale/sharing of personal information.
RecommendationAdd an opt-out section to your privacy policy and implement a "Do Not Sell or Share My Personal Information" mechanism.
CCPA
Consumer Rights Disclosure
The privacy policy excerpt does not contain CCPA/CPRA-required disclosures such as: categories of personal information collected and sold/shared in the preceding 12 months, the business or commercial purpose for collection, the right to opt out of sale/sharing of personal information, the right to limit use of sensitive personal information, and a description of financial incentives. California Civil Code §1798.100(a) and §1798.130 mandate these specific disclosures.
RecommendationEnsure the privacy policy includes a California-specific section (or clearly labeled disclosures) covering all CCPA/CPRA requirements including categories of PI collected/sold/shared, purposes, consumer rights (know, delete, correct, opt-out of sale/sharing, limit sensitive PI use), a 'Do Not Sell or Share My Personal Information' link, and the required 12-month lookback disclosures.
CPA
Opt-Out Rights
Colorado Privacy Act requires disclosure of consumers' opt-out rights for targeted advertising and/or sale of personal data.
RecommendationAdd opt-out rights information to your privacy policy as required by CPA (Colorado).
CPA
Sensitive Data
Colorado Privacy Act requires explicit consent before processing sensitive personal data. No sensitive data disclosures found in the privacy policy.
RecommendationIf you process sensitive data (health, biometric, geolocation, race, religion, sexual orientation), add clear disclosures and obtain explicit consent.
CPA
Universal Opt-Out
Colorado Privacy Act requires recognition of universal opt-out mechanisms such as Global Privacy Control (GPC). No mention found in the privacy policy.
RecommendationImplement support for Global Privacy Control (GPC) signals and document this in your privacy policy.
CPA
Data Portability
Colorado Privacy Act grants consumers the right to obtain their personal data in a portable, readily usable format.
RecommendationAdd data portability rights information and provide a mechanism for consumers to export their data as required by CPA (Colorado).
CTDPA
Opt-Out Rights
Connecticut Data Privacy Act requires disclosure of consumers' opt-out rights for targeted advertising and/or sale of personal data.
RecommendationAdd opt-out rights information to your privacy policy as required by CTDPA (Connecticut).
CTDPA
Sensitive Data
Connecticut Data Privacy Act requires explicit consent before processing sensitive personal data. No sensitive data disclosures found in the privacy policy.
RecommendationIf you process sensitive data (health, biometric, geolocation, race, religion, sexual orientation), add clear disclosures and obtain explicit consent.
CTDPA
Universal Opt-Out
Connecticut Data Privacy Act requires recognition of universal opt-out mechanisms such as Global Privacy Control (GPC). No mention found in the privacy policy.
RecommendationImplement support for Global Privacy Control (GPC) signals and document this in your privacy policy.
CTDPA
Data Portability
Connecticut Data Privacy Act grants consumers the right to obtain their personal data in a portable, readily usable format.
RecommendationAdd data portability rights information and provide a mechanism for consumers to export their data as required by CTDPA (Connecticut).
DPDPA
Opt-Out Rights
Delaware Personal Data Privacy Act requires disclosure of consumers' opt-out rights for targeted advertising and/or sale of personal data.
RecommendationAdd opt-out rights information to your privacy policy as required by DPDPA (Delaware).
DPDPA
Sensitive Data
Delaware Personal Data Privacy Act requires explicit consent before processing sensitive personal data. No sensitive data disclosures found in the privacy policy.
RecommendationIf you process sensitive data (health, biometric, geolocation, race, religion, sexual orientation), add clear disclosures and obtain explicit consent.
DPDPA
Universal Opt-Out
Delaware Personal Data Privacy Act requires recognition of universal opt-out mechanisms such as Global Privacy Control (GPC). No mention found in the privacy policy.
RecommendationImplement support for Global Privacy Control (GPC) signals and document this in your privacy policy.
DPDPA
Data Portability
Delaware Personal Data Privacy Act grants consumers the right to obtain their personal data in a portable, readily usable format.
RecommendationAdd data portability rights information and provide a mechanism for consumers to export their data as required by DPDPA (Delaware).
GDPR
Cross-Border Transfer
While Stripe references a 'Data Privacy Framework' and 'Data Transfer Addendum' in their navigation, the privacy policy excerpt does not clearly describe the specific safeguards (e.g., Standard Contractual Clauses, adequacy decisions, or binding corporate rules) used when transferring personal data outside the EEA. Under GDPR Articles 44-49, controllers must transparently inform data subjects about the mechanisms relied upon for international transfers and how to access copies of those safeguards.
RecommendationExplicitly state in the main privacy policy body which transfer mechanisms are used (e.g., EU-US Data Privacy Framework certification, SCCs), identify the destination countries, and provide direct links to the relevant transfer documentation rather than relying solely on sidebar navigation to separate documents.
GDPR
Data Retention
The privacy policy excerpt reviewed does not include any mention of data retention periods or criteria used to determine how long personal data is stored. GDPR Article 13(2)(a) requires controllers to inform data subjects of the period for which personal data will be stored, or the criteria used to determine that period. For a financial infrastructure company processing significant volumes of sensitive financial data, this is a critical disclosure.
RecommendationAdd a dedicated 'Data Retention' section to the privacy policy that specifies retention periods for each category of personal data collected (e.g., transaction data, identity verification data, account data), or clearly describe the criteria used to determine retention periods, including any legal or regulatory obligations that mandate longer retention.
GDPR
Data Subject Rights
The privacy policy does not appear to mention the right of access (GDPR Art. 15).
RecommendationInclude information about how data subjects can request access to their personal data.
GDPR
Data Subject Rights
The privacy policy does not appear to mention the right to erasure/deletion, which is required under GDPR Art. 17.
RecommendationAdd a section covering the right to erasure, including how users can request deletion of their data and the timeframe for processing such requests.
GDPR
Accountability
The privacy policy does not mention a Data Protection Officer. If required to appoint one under GDPR Art. 37, their contact details must be published.
RecommendationIf a DPO is required (large-scale processing, public authority, or special category data), add their contact information to the privacy policy.
INCDPA
Opt-Out Rights
Indiana Consumer Data Protection Act requires disclosure of consumers' opt-out rights for targeted advertising and/or sale of personal data.
RecommendationAdd opt-out rights information to your privacy policy as required by INCDPA (Indiana).
INCDPA
Data Portability
Indiana Consumer Data Protection Act grants consumers the right to obtain their personal data in a portable, readily usable format.
RecommendationAdd data portability rights information and provide a mechanism for consumers to export their data as required by INCDPA (Indiana).
KCDPA
Opt-Out Rights
Kentucky Consumer Data Protection Act requires disclosure of consumers' opt-out rights for targeted advertising and/or sale of personal data.
RecommendationAdd opt-out rights information to your privacy policy as required by KCDPA (Kentucky).
KCDPA
Data Portability
Kentucky Consumer Data Protection Act grants consumers the right to obtain their personal data in a portable, readily usable format.
RecommendationAdd data portability rights information and provide a mechanism for consumers to export their data as required by KCDPA (Kentucky).
MCDPA
Opt-Out Rights
Montana Consumer Data Privacy Act requires disclosure of consumers' opt-out rights for targeted advertising and/or sale of personal data.
RecommendationAdd opt-out rights information to your privacy policy as required by MCDPA (Montana).
MCDPA
Universal Opt-Out
Montana Consumer Data Privacy Act requires recognition of universal opt-out mechanisms such as Global Privacy Control (GPC). No mention found in the privacy policy.
RecommendationImplement support for Global Privacy Control (GPC) signals and document this in your privacy policy.
MNCDPA
Opt-Out Rights
Minnesota Consumer Data Privacy Act requires disclosure of consumers' opt-out rights for targeted advertising and/or sale of personal data.
RecommendationAdd opt-out rights information to your privacy policy as required by MNCDPA (Minnesota).
MNCDPA
Data Minimization
Minnesota Consumer Data Privacy Act has strict data minimization requirements — data collection must be limited to what is reasonably necessary for the disclosed purpose.
RecommendationDocument your data minimization practices in your privacy policy and ensure you only collect data necessary for your stated purposes.
MNCDPA
Sensitive Data
Minnesota Consumer Data Privacy Act requires explicit consent before processing sensitive personal data. No sensitive data disclosures found in the privacy policy.
RecommendationIf you process sensitive data (health, biometric, geolocation, race, religion, sexual orientation), add clear disclosures and obtain explicit consent.
MNCDPA
Universal Opt-Out
Minnesota Consumer Data Privacy Act requires recognition of universal opt-out mechanisms such as Global Privacy Control (GPC). No mention found in the privacy policy.
RecommendationImplement support for Global Privacy Control (GPC) signals and document this in your privacy policy.
MNCDPA
Data Portability
Minnesota Consumer Data Privacy Act grants consumers the right to obtain their personal data in a portable, readily usable format.
RecommendationAdd data portability rights information and provide a mechanism for consumers to export their data as required by MNCDPA (Minnesota).
MNCDPA
Data Protection Assessments
The Minnesota Consumer Data Privacy Act (MNCDPA), along with GDPR Article 35 and several other state laws, requires controllers to conduct and document data protection assessments for high-risk processing activities such as targeted advertising, sale of personal data, profiling, and processing sensitive data. Stripe's privacy policy does not reference the existence of such assessments, reducing transparency about Stripe's risk management practices.
RecommendationWhile DPIAs need not be published in full, consider adding a statement in the privacy policy acknowledging that Stripe conducts data protection assessments for high-risk processing activities in accordance with applicable laws, and provide a mechanism for regulators to request these assessments.
MODPA
Opt-Out Rights
Maryland Online Data Privacy Act requires disclosure of consumers' opt-out rights for targeted advertising and/or sale of personal data.
RecommendationAdd opt-out rights information to your privacy policy as required by MODPA (Maryland).
MODPA
Data Minimization
Maryland Online Data Privacy Act has strict data minimization requirements — data collection must be limited to what is reasonably necessary for the disclosed purpose.
RecommendationDocument your data minimization practices in your privacy policy and ensure you only collect data necessary for your stated purposes.
MODPA
Sensitive Data
Maryland Online Data Privacy Act requires explicit consent before processing sensitive personal data. No sensitive data disclosures found in the privacy policy.
RecommendationIf you process sensitive data (health, biometric, geolocation, race, religion, sexual orientation), add clear disclosures and obtain explicit consent.
MODPA
Sensitive Data Processing
The Maryland Online Data Privacy Act (MODPA) places strict limits on processing sensitive data and requires purpose limitation — controllers may only collect data that is reasonably necessary and proportionate to the disclosed purpose. Stripe, as financial infrastructure, processes highly sensitive financial data. The policy excerpt does not detail which categories of sensitive data are processed, the specific necessity justification, or the consent mechanisms for sensitive data processing as required under MODPA and similar state laws.
RecommendationAdd explicit disclosures about what categories of sensitive data are processed (financial account data, government identifiers, precise geolocation, etc.), the specific purposes and necessity justification for each, and the consent mechanisms employed, ensuring compliance with MODPA's strict data minimization and purpose limitation requirements.
NHPA
Opt-Out Rights
New Hampshire Privacy Act (SB 255) requires disclosure of consumers' opt-out rights for targeted advertising and/or sale of personal data.
RecommendationAdd opt-out rights information to your privacy policy as required by NHPA (New Hampshire).
NHPA
Sensitive Data
New Hampshire Privacy Act (SB 255) requires explicit consent before processing sensitive personal data. No sensitive data disclosures found in the privacy policy.
RecommendationIf you process sensitive data (health, biometric, geolocation, race, religion, sexual orientation), add clear disclosures and obtain explicit consent.
NHPA
Universal Opt-Out
New Hampshire Privacy Act (SB 255) requires recognition of universal opt-out mechanisms such as Global Privacy Control (GPC). No mention found in the privacy policy.
RecommendationImplement support for Global Privacy Control (GPC) signals and document this in your privacy policy.
NHPA
Data Portability
New Hampshire Privacy Act (SB 255) grants consumers the right to obtain their personal data in a portable, readily usable format.
RecommendationAdd data portability rights information and provide a mechanism for consumers to export their data as required by NHPA (New Hampshire).
NJDPA
Opt-Out Rights
New Jersey Data Privacy Act (SB 332) requires disclosure of consumers' opt-out rights for targeted advertising and/or sale of personal data.
RecommendationAdd opt-out rights information to your privacy policy as required by NJDPA (New Jersey).
NJDPA
Sensitive Data
New Jersey Data Privacy Act (SB 332) requires explicit consent before processing sensitive personal data. No sensitive data disclosures found in the privacy policy.
RecommendationIf you process sensitive data (health, biometric, geolocation, race, religion, sexual orientation), add clear disclosures and obtain explicit consent.
NJDPA
Universal Opt-Out
New Jersey Data Privacy Act (SB 332) requires recognition of universal opt-out mechanisms such as Global Privacy Control (GPC). No mention found in the privacy policy.
RecommendationImplement support for Global Privacy Control (GPC) signals and document this in your privacy policy.
NJDPA
Universal Opt-Out Mechanism
The New Jersey Data Privacy Act (NJDPA), along with several other state laws (CPA, CTDPA, OCPA, MODPA, MNCDPA, DPDPA), requires controllers to recognize and honor universal opt-out mechanisms such as the Global Privacy Control (GPC) signal. The scanned privacy policy and cookie banner do not indicate whether Stripe honors GPC or similar browser-based opt-out signals.
RecommendationUpdate the privacy policy and cookie consent mechanism to explicitly state whether Stripe recognizes and honors universal opt-out mechanisms like Global Privacy Control (GPC). Implement technical support for GPC signals and disclose this in both the privacy policy and cookie policy.
NJDPA
Data Portability
New Jersey Data Privacy Act (SB 332) grants consumers the right to obtain their personal data in a portable, readily usable format.
RecommendationAdd data portability rights information and provide a mechanism for consumers to export their data as required by NJDPA (New Jersey).
OCPA
Opt-Out Rights
Oregon Consumer Privacy Act requires disclosure of consumers' opt-out rights for targeted advertising and/or sale of personal data.
RecommendationAdd opt-out rights information to your privacy policy as required by OCPA (Oregon).
OCPA
Children's Privacy
The Oregon Consumer Privacy Act (OCPA) requires controllers to obtain opt-in consent before processing personal data of consumers between 13-15 years of age for targeted advertising or sale. Additionally, COPPA applies to children under 13. Stripe's privacy policy excerpt contains no mention of age restrictions, children's data processing practices, or age-verification mechanisms. Given Stripe's ubiquitous presence across websites visited by minors, this is a notable gap.
RecommendationAdd a 'Children's Privacy' section to the privacy policy that clarifies whether Stripe knowingly collects data from minors, describes any age-gating mechanisms, and explains compliance with COPPA and state laws like OCPA that have specific requirements for processing data of consumers aged 13-15.
OCPA
Data Minimization
Oregon Consumer Privacy Act has strict data minimization requirements — data collection must be limited to what is reasonably necessary for the disclosed purpose.
RecommendationDocument your data minimization practices in your privacy policy and ensure you only collect data necessary for your stated purposes.
OCPA
Sensitive Data
Oregon Consumer Privacy Act requires explicit consent before processing sensitive personal data. No sensitive data disclosures found in the privacy policy.
RecommendationIf you process sensitive data (health, biometric, geolocation, race, religion, sexual orientation), add clear disclosures and obtain explicit consent.
OCPA
Universal Opt-Out
Oregon Consumer Privacy Act requires recognition of universal opt-out mechanisms such as Global Privacy Control (GPC). No mention found in the privacy policy.
RecommendationImplement support for Global Privacy Control (GPC) signals and document this in your privacy policy.
OCPA
Data Portability
Oregon Consumer Privacy Act grants consumers the right to obtain their personal data in a portable, readily usable format.
RecommendationAdd data portability rights information and provide a mechanism for consumers to export their data as required by OCPA (Oregon).
VCDPA
Opt-Out Rights
Virginia Consumer Data Protection Act requires disclosure of consumers' opt-out rights for targeted advertising and/or sale of personal data.
RecommendationAdd opt-out rights information to your privacy policy as required by VCDPA (Virginia).
VCDPA
Sensitive Data
Virginia Consumer Data Protection Act requires explicit consent before processing sensitive personal data. No sensitive data disclosures found in the privacy policy.
RecommendationIf you process sensitive data (health, biometric, geolocation, race, religion, sexual orientation), add clear disclosures and obtain explicit consent.
VCDPA
Data Portability
Virginia Consumer Data Protection Act grants consumers the right to obtain their personal data in a portable, readily usable format.
RecommendationAdd data portability rights information and provide a mechanism for consumers to export their data as required by VCDPA (Virginia).