Nobody builds a website thinking "I can't wait to write legal documents." You're thinking about the product, the content, the launch. The legal stuff feels like something you'll deal with later.
Here's the problem with "later": by the time it matters, it's usually already too late. A GDPR complaint lands. Stripe flags your merchant account. The App Store rejects your submission. And you're scrambling to patch together policies while actively losing money.
This checklist covers every legal document a website might need in 2026. Not every site needs all of them. But you need to know which ones apply to you. Read through, check off what's relevant, and use the links to generate the ones you're missing.
The Basics Every Website Needs
Let's start with the foundation. These three documents apply to almost every website that exists. If your site is on the internet and real people visit it, you need at least these.
Privacy Policy
A Privacy Policy is a legal document that tells your visitors what personal data you collect, why you collect it, how you use it, and who you share it with. In plain English: it's your promise to users about how you'll handle their information.
Here's what most people miss. You're probably collecting personal data even if you think you're not. Google Analytics collects IP addresses. Contact forms collect names and emails. Newsletter signups collect email addresses. Comments collect usernames. If any of that sounds like your website, you need a Privacy Policy.
The Privacy Policy doesn't need to be terrifying or 40 pages long. It just needs to honestly describe what you do with data. Plain language is better. Users actually reading it is a good thing.
Terms of Service
A Terms of Service (also called Terms of Use, Terms and Conditions, or a User Agreement) is the contract between you and your users. It sets the rules: what users can do, what they can't do, what you're responsible for, and what you're not.
Think of it as the document that protects you when things go sideways. A user claims your product caused them losses. Another user posts something awful in your comments. Someone tries to resell your software. Without a Terms of Service, you have no legal footing in any of these situations.
And here's the thing: even small blogs need one. If users can submit content, post comments, or even just receive email from you, you have a legal relationship that benefits from being defined in writing.
Cookie Policy (if you use tracking)
If your website uses cookies beyond the strictly necessary kind (analytics, advertising, social sharing buttons, retargeting pixels), you need a Cookie Policy. This is separate from your Privacy Policy, though many people try to fold it in.
Under GDPR and the EU ePrivacy Directive, you need to: tell users what cookies you use, explain what each category of cookie does, get consent before dropping non-essential cookies, and let users withdraw that consent at any time.
If you're running Google Analytics, Facebook Pixel, or any ad network, you're using non-essential cookies. You need a Cookie Policy and a proper consent banner. Not a banner that says "we use cookies, ok?" and makes "OK" the only option. An actual choice.
E-commerce Requirements
Running an online store adds a whole new layer of legal requirements. This surprises a lot of first-time store owners, especially when their payment processor suddenly asks for documentation they've never heard of.
Refund Policy
A Refund Policy explains under what circumstances customers can get their money back, how long the process takes, and what conditions apply. This one surprises people the most.
Stripe, PayPal, and most other payment processors require you to have a visible Refund Policy before they'll approve your merchant account. They're not being bureaucratic for fun. It's because chargebacks cost them money, and a clear refund policy reduces disputes.
Beyond the payment processor requirement, consumer protection laws in the EU, UK, and many US states give customers specific rights around returns and refunds. Your Refund Policy needs to reflect those rights for the jurisdictions where you sell.
Shipping Policy
If you're shipping physical products, customers want to know: how long does delivery take, what does it cost, do you ship internationally, and what happens if something gets lost. A Shipping Policy answers all of this upfront and dramatically reduces customer service inquiries.
Payment processors also check for this. If your store has no shipping information visible, it looks like either an incomplete business or a scam. Neither is great for getting your account approved.
App and SaaS Requirements
Software products have their own set of legal requirements, and they're more demanding than a typical website. Both Apple and Google are very specific about what they want to see before they'll let you publish.
EULA (End User License Agreement)
An EULA is the agreement between a software developer and the user of that software. It's different from a Terms of Service in a specific way: a ToS governs a service you provide, while an EULA governs a piece of software the user runs on their device.
The EULA establishes that the user is licensing the software (not purchasing or owning it), defines what they can and can't do with it (no reverse engineering, no redistribution), and limits your liability for bugs and failures.
Apple and Google both require a visible EULA for App Store and Play Store submissions. Apps without one get rejected during review. This is a hard requirement, not a suggestion.
SaaS Terms of Service
A SaaS-specific Terms of Service is different from a generic website ToS. It needs to cover subscription billing cycles, what happens on cancellation, data portability rights, uptime expectations (or explicit lack thereof), and service level commitments.
For B2B SaaS in particular, your enterprise customers will often require your ToS before signing any deal. Their legal teams will read it. A generic "we can change anything at any time" ToS will not pass their review.
Data Processing Agreement (DPA)
If you're selling SaaS to businesses in the EU, or if you process personal data on behalf of your customers (which most SaaS products do), you need a Data Processing Agreement. Under GDPR, this is mandatory for the data controller and data processor relationship.
A DPA defines what data you process, how you protect it, who has access, where it's stored, and how breaches are handled. Business customers in the EU cannot legally use your software without one. This is one of those documents that actively closes B2B deals.
Content Creator and Blogger Requirements
This is the section most bloggers skip. And honestly, most of them are fine. Until they're not. The FTC has been increasingly aggressive about disclosure violations, and the penalties are not small.
Affiliate Disclosure
If you earn commissions from affiliate links (Amazon Associates, ShareASale, any other program), you're legally required to disclose this to your readers. The FTC requires the disclosure to be "clear and conspicuous." That means before the link, not buried in your footer, not in tiny grey text.
The disclosure needs to appear before users click affiliate links, so they can factor it into their decision. "This post contains affiliate links" at the top of the article is fine. The disclosure must be in plain language, not legal jargon.
Sponsored Content Disclosure
Paid reviews, sponsored posts, brand partnerships, gifted products. All of these require disclosure under FTC guidelines. The same rules apply as affiliate disclosure: it must be clear, it must be early, and it must be understandable to ordinary readers.
This applies even when the brand relationship is indirect. Free products received for review count. Free stays at hotels count. Free software access in exchange for coverage counts. If you received anything of value, you need to disclose it.
Earnings Disclaimer
If you publish anything that could be read as income claims ("I made $10,000 last month blogging"), you need an Earnings Disclaimer. This document makes clear that your results are not typical, that income claims are for illustrative purposes, and that readers should not assume they'll achieve the same results.
Without one, income claims on your website can be considered deceptive under FTC rules, regardless of whether you intended them that way.
Medical and Financial Disclaimers
If you write about health, fitness, nutrition, supplements, investment, taxes, or personal finance, you need a disclaimer making clear that your content is not professional medical or financial advice. Yes, even if it's obvious. Yes, even if you're clearly just a blogger.
Courts and regulatory agencies have found that readers reasonably rely on authoritative-seeming online content. A disclaimer doesn't fully immunize you from liability, but it substantially reduces your exposure and demonstrates good faith.
GDPR Compliance (for EU Visitors)
If your website is accessible from the EU (which means basically every website on the internet), GDPR applies to you when EU residents visit. You don't need to be based in Europe. You don't even need to be targeting Europe. You just need to have EU visitors.
The fines under GDPR reach up to 20 million euros or 4% of global annual turnover, whichever is higher. Regulators have issued significant fines against companies of all sizes. It's not just a big-company problem.
What You Need for GDPR Compliance
- GDPR-compliant Privacy Policy: Your standard Privacy Policy needs GDPR-specific additions including legal bases for processing, data subject rights (access, deletion, portability), and contact details for your data protection officer or representative if required.
- Cookie Consent Mechanism: A real one, with a real "decline" option. Pre-ticked boxes and dark patterns (where the "accept" button is big and the "reject" option is hidden) violate GDPR. Regulators have fined companies specifically for cookie consent dark patterns.
- Data Processing Agreement: If you use third-party processors that handle EU personal data on your behalf (email marketing platforms, CRMs, analytics tools), you need a DPA with each of them. Most major platforms provide a standard DPA you can sign.
- Data Retention Policy: You need to define how long you keep different types of personal data and delete it when that period expires. "We keep everything forever" is not GDPR-compliant.
CCPA Compliance (for California Visitors)
The California Consumer Privacy Act applies to businesses that collect personal information from California residents. Given that California has 40 million people and is the world's fifth largest economy, there's a good chance some of your visitors are Californian.
CCPA applies to businesses that meet at least one of these thresholds: annual gross revenue over $25 million, buying or selling personal information of 100,000+ consumers per year, or deriving 50% or more of annual revenue from selling personal information.
Intentional CCPA violations carry fines of up to $7,500 per violation. Unintentional violations are $2,500 each. Violations can be per consumer record, which adds up fast.
What You Need for CCPA Compliance
- CCPA Privacy Policy Addendum: Your Privacy Policy needs to include specific CCPA disclosures about categories of personal information collected, purposes of collection, and whether you sell or share personal information.
- Right to Know: California residents can request to know what personal information you've collected about them. You need a process for handling these requests within 45 days.
- Right to Delete: California residents can request deletion of their personal information. You need to honor these requests (with some exceptions) and respond within 45 days.
- Right to Opt Out: If you sell or share personal information with third parties, you must provide a visible "Do Not Sell or Share My Personal Information" link. It needs to be in your footer, visible from every page.
COPPA (for Sites Targeting Children Under 13)
COPPA is in a different category entirely. Everything else on this list is about protecting adults. COPPA is about protecting children, and the requirements reflect that.
COPPA applies if your website is directed at children under 13, or if you have actual knowledge that you're collecting personal information from children under 13. The FTC has been very aggressive about COPPA enforcement. Fines have reached tens of millions of dollars.
If your site could attract children but isn't specifically directed at them, the FTC uses a "mixed audience" standard. Sites with content like cartoons, educational materials, or games that appeal to both children and adults often need to implement age-screening and COPPA compliance for users who identify as under 13.
If you're building anything in this space, please get a real lawyer involved. COPPA compliance goes beyond document generation into fundamental product decisions.
Generate All Your Legal Documents Free
FreeTOS has all 22 legal documents you need. Free. No signup. No payment. Generate a professional, tailored document in 60 seconds.
Generate Free NowThe Quick Reference Checklist Table
Here's the visual summary. Find your website type, check what you need.
| Legal Document | Blog | E-commerce | SaaS / App | Creator + Affiliates | Kids Site |
|---|---|---|---|---|---|
| Privacy Policy | ✓ | ✓ | ✓ | ✓ | ✓ |
| Terms of Service | ✓ | ✓ | ✓ | ✓ | ✓ |
| Cookie Policy | if tracking | ✓ | ✓ | ✓ | ✓ |
| Refund Policy | — | ✓ | ✓ | — | — |
| Shipping Policy | — | ✓ | — | — | — |
| EULA | — | — | ✓ | — | — |
| SaaS Terms | — | — | ✓ | — | — |
| Data Processing Agreement | — | if EU B2B | ✓ | — | — |
| Affiliate Disclosure | if affiliates | if affiliates | — | ✓ | — |
| Earnings Disclaimer | if income claims | — | — | ✓ | — |
| GDPR Policy | if EU visitors | ✓ | ✓ | if EU visitors | ✓ |
| CCPA Policy | if CA visitors | ✓ | ✓ | if CA visitors | ✓ |
| COPPA Policy | — | — | — | — | ✓ |
| Data Retention Policy | — | if EU/GDPR | ✓ | — | ✓ |
| Medical Disclaimer | if health content | if health products | if health app | if health content | — |
| Financial Disclaimer | if finance content | — | if fintech | if finance content | — |
How to Get All of These Documents
Here's the good news. You don't need a lawyer for most of these. You don't need expensive compliance software. And you definitely don't need to copy someone else's Terms of Service (which is copyright infringement and also produces a document that doesn't actually fit your business).
FreeTOS has all 22 of these documents. Every single one. Free. No account required. You answer a few questions about your website and get a tailored, professional legal document in about 60 seconds.
Yes, you really do need all the ones that apply to you. Yes, it's worth the 60 seconds per document. The risk of skipping them is real, documented, and often far more expensive than the 10 minutes it takes to generate them all.
Here's what to do right now:
- Identify which category your site falls into using the table above
- Generate the required documents using the free generators at FreeTOS
- Add each document as its own page on your website
- Link all of them from your footer (every page, every document)
- For GDPR compliance, add a proper cookie consent banner that offers a real opt-out
- Set a calendar reminder to review everything in 12 months
That's the complete checklist. It's not glamorous. Legal compliance never is. But it's a lot less painful than the alternative.
Frequently Asked Questions
You need at minimum a Privacy Policy and Terms of Service for any blog that collects email addresses, uses analytics tools like Google Analytics, or displays ads. Most small blogs can skip the e-commerce and SaaS documents. But if you have any EU visitors at all, you also need a Cookie Policy and cookie consent mechanism under GDPR. The good news is all of these are free to generate.
Operating without a Privacy Policy is illegal in most jurisdictions if you collect any personal data. Under GDPR, fines can reach 20 million euros or 4% of global annual turnover. Under CCPA, intentional violations carry fines of up to $7,500 per violation. Even in the US without specific state laws, the FTC can take action against deceptive privacy practices. Beyond fines, Google Analytics requires you to have a Privacy Policy to use their service.
Partially. A well-written Privacy Policy can include GDPR and CCPA compliance sections within it. However, a Privacy Policy cannot replace a Terms of Service, a Cookie Policy, or an Affiliate Disclosure. Each document serves a distinct legal purpose and combining them into one document often results in something that doesn't satisfy the requirements for either.
You should review your legal pages at minimum once per year, and immediately whenever you change how you collect or use data, add new third-party services, change your pricing or refund model, or when new laws come into effect that apply to your audience. Set a calendar reminder for an annual review. It takes less than 30 minutes if you use a generator.
They're the same thing. Terms of Service, Terms and Conditions, Terms of Use, and User Agreement all refer to the same type of legal document. The naming varies by industry and company preference. SaaS companies tend to say Terms of Service. E-commerce stores often say Terms and Conditions. The legal function and requirements are identical regardless of what you call it.
Written by
Abd ShantiBuilding FreeTOS.org. Writing about website compliance, legal documents, and making legal tools accessible to everyone. Connect on LinkedIn.