Privacy Policy
Breaking up the privacy policy into machine-readable, schema defined properties that allow for the legal side of an API to be understood programmatically. A privacy policy sets the stage when it comes to consumption, helping consumers with what they can expect when it comes to how their data and usage of digital resources will be shared or sold.
Also known as: Privacy Notice, Privacy Statement, Data Protection Notice
Example
Standards
- EU GDPR — Regulation (EU) 2016/679
- EU GDPR Articles 12–14 — Information to be provided to the data subject
- US-CA California Consumer Privacy Act (CCPA) / CPRA
- ISO ISO/IEC 27701 — Privacy Information Management
- ISO ISO/IEC 29100 — Privacy Framework
- NIST NIST Privacy Framework
- schema.org schema.org PrivacyPolicy (WebPage subtype)
- IANA IANA Link Relation — privacy-policy
- Community / W3C CG Global Privacy Control
- US-HHS HIPAA Privacy Rule — 45 CFR Part 164 Subpart E
- US-FTC Children's Online Privacy Protection Act (COPPA)
- BR LGPD — Lei Geral de Proteção de Dados (Brazil)
HTTP Headers
| Header | Direction | Spec | Description |
|---|---|---|---|
Link |
response | RFC 8288 | May advertise rel="privacy-policy" pointing at the policy URL. |
Sec-GPC |
request | Global Privacy Control (W3C CG draft) | Signals the user's opt-out of sale/sharing under CCPA/CPRA. |
DNT |
request | W3C Tracking Preference Expression (Note) | Legacy Do Not Track signal; largely superseded by Sec-GPC. |
Status Codes
451 Unavailable For Legal Reasons— RFC 7725 — Resource withheld due to privacy/legal demand (e.g., jurisdictional block).
OpenAPI Expression
-
info.termsOfService(OpenAPI 3.x §4.8.2 Info Object) — Privacy policy is frequently linked alongside or from the ToS URL. -
info.contact(OpenAPI 3.x §4.8.2 / Contact Object) — Contact for privacy / data-protection inquiries (e.g., DPO).
Link Relations
privacy-policy— IANA Link Relations registry — Used in Link headers, Atom, HAL, JSON:API, and HTML .
Governance Rules
info-contact(Spectral built-in) — Info contact should be present — useful for privacy/DPO routing.info-license(Spectral built-in) — License is required; complements (but does not replace) a privacy policy.
Risk & Compliance
Compliance:
- GDPR Art. 12 — transparent information, communication
- GDPR Art. 13 — information collected from the data subject
- GDPR Art. 14 — information collected from third parties
- GDPR Art. 30 — records of processing activities
- GDPR Art. 32 — security of processing
- CCPA/CPRA — notice at collection, right to know / delete / opt-out of sale
- HIPAA Privacy Rule — Notice of Privacy Practices
- COPPA — parental consent for children under 13
- LGPD — analogous transparency and rights obligations (Brazil)
- PIPEDA — Canadian federal private-sector law
Security: A privacy policy is the consumer-facing surface of the data-protection program. It must accurately describe data collected, purposes, lawful bases (GDPR), retention, sub-processors, international transfers (SCCs/adequacy), security measures (Art. 32), and individual rights with response SLAs. Misalignment between the policy and actual API data flows is itself a regulatory and reputational risk. Version the policy, surface effective_date, and notify users of material changes before they take effect.
Tools
- OneTrust — Privacy management platform
- TrustArc — Privacy management platform
- Osano — Consent and privacy management
- Iubenda — Policy generator
- Termly — Policy generator
- Global Privacy Control reference site — Standards reference
Suggested Metrics
dsar_response_time_days— Mean time to respond to data subject access requests (GDPR Art. 12 §3 — one month).privacy_policy_version_count— Number of distinct published privacy policy versions over time.consent_rate— Share of users that grant a given consent category.third_party_processor_count— Number of sub-processors disclosed in the policy.gpc_honor_rate— Share of inbound requests carrying Sec-GPC that result in opt-out being applied.
Example Implementations
- Stripe — Detailed global privacy center with regional notices and sub-processor list.
- GitHub — Versioned Privacy Statement with change history on docs.github.com.
- Google — Cross-product privacy policy plus per-product supplements.
- Microsoft Graph — Microsoft Privacy Statement with detailed product sections and DSR portal.
Related Properties
Tags
- Legal