Privacy policy link

What this check does

Crawls the rendered page (header, footer, and global nav) for an <a> element whose text or URL matches a privacy-policy pattern: /privacy, /privacy-policy, /datenschutz, /politica-de-privacidad, /confidentialite, etc., or anchor text containing “Privacy”, “Privacy Policy”, “Privacy Notice”, “Datenschutz”, and the common translations. The check passes when at least one such link is present and reachable.

Why it matters

A privacy policy that visitors cannot find is, in regulatory terms, no policy at all.

• GDPR Articles 13 and 14 require you to provide identified categories of information to data subjects “at the time when personal data are obtained” — in practice, before any non-essential tracker fires. EDPB transparency guidelines explicitly call out that the notice must be “easily accessible” with “clear and plain language.”
• CCPA / CPRA require a conspicuous link on the homepage labelled “Privacy Policy” (and “Do Not Sell or Share My Personal Information” if applicable). The California AG has settled multiple actions specifically over missing or buried links.
• Brazil’s LGPD, Canada’s PIPEDA, UK Data Protection Act 2018, and dozens of national equivalents carry parallel requirements.
• Vendor terms of service. Google Analytics, Meta Pixel, Stripe, HubSpot, and Mailchimp all require a published privacy policy as a condition of using their services. Missing the link can void your right to use the tools.

This is also the cheapest rule in the privacy module to fix. Most sites have a policy — they just forgot to link it from every page.

How to fix it

Add a link in the global footer that appears on every page, with the literal anchor text “Privacy Policy” (or the localised equivalent). Don’t hide it under a hamburger or render it only on the homepage.

Static HTML / vanilla footer:

<footer>
  <nav aria-label="Legal">
    <a href="/privacy-policy/">Privacy Policy</a>
    <a href="/terms/">Terms of Service</a>
    <a href="/cookies/">Cookie Policy</a>
  </nav>
</footer>

Astro — put the link in src/components/Footer.astro and include it from your base layout so every route picks it up automatically. For multilingual sites, route the localised path:

---
import { getRelativeLocaleUrl } from "astro:i18n";
const lang = Astro.currentLocale ?? "en";
---
<a href={getRelativeLocaleUrl(lang, "privacy-policy")}>Privacy Policy</a>

Next.js — render the link from app/layout.tsx (App Router) or pages/_app.tsx (Pages Router) so it appears on every route:

// app/layout.tsx
<footer>
  <Link href="/privacy-policy">Privacy Policy</Link>
</footer>

WordPress — Settings → Privacy lets you designate a Privacy Policy page; most themes expose the link via Customizer → Menus → Footer Menu, or via the_privacy_policy_link() in the footer template.

Add a sitewide reference inside your cookie banner. Whatever banner you ship (see cookie consent banner) should link to the policy from its first screen. EDPB guidelines treat a banner without a visible privacy-policy link as failing the “informed” prong of valid consent.

Mark it up for assistant engines. Add WebSite JSON-LD with a privacyPolicy property so AI search engines and crawlers can resolve the URL:

{
  "@context": "https://schema.org",
  "@type": "WebSite",
  "url": "https://example.com/",
  "privacyPolicy": "https://example.com/privacy-policy/"
}

See JSON-LD structured data for how to embed this.

Audit yourself:

curl -s https://yourdomain.com/ | grep -iE 'privacy[- ]policy|privacy notice'

Empty output means the link isn’t in your server-rendered HTML — fix that before relying on a client-side footer.

Frequently asked questions

Does the link have to be in the footer specifically?

No, but the footer is what regulators and users expect. EDPB guidance asks for “easy accessibility” — a footer link on every page, or a link inside the cookie banner, satisfies that. A link only on the homepage, or buried inside a “More” submenu, has been called out in enforcement actions.

What if my policy is hosted on a different domain (Iubenda, Termly, Privacy Policy Generator)?

That’s fine, as long as the link works and the page is yours (your company name on it, your data, your contact). The check matches by URL pattern and anchor text, so an <a href="https://www.iubenda.com/privacy-policy/12345">Privacy Policy</a> passes.

Do I also need a separate Cookie Policy link?

Under the EU ePrivacy Directive, yes — the cookie policy is conceptually distinct from the privacy policy and most banners link to both. You can combine them in one document as long as the cookie section is clearly delineated. The CNIL, ICO, and AEPD all accept combined policies.