Google Merchant Center Missing Privacy Policy: How to Fix It (2026)

Updated: March 2026 • 8 min read

A missing privacy policy is a common cause of Google Merchant Center suspension. Google requires all merchants participating in Google Shopping to maintain a clear, accessible privacy policy on their website. Without one, Google considers your store to be non-compliant with consumer data protection standards — and your products are blocked from appearing in Google Shopping results.

This guide explains exactly why Google requires a privacy policy, what it must contain, where to place it, and how to use it to get your Merchant Center account reinstated.

Why Google Requires a Privacy Policy

A privacy policy is a legal document that explains to visitors how their personal data is collected, used, stored, and protected. In many jurisdictions (including the EU under GDPR, California under CCPA, and others), having a privacy policy is a legal requirement for any website that collects personal data.

Google Shopping requires a privacy policy for two main reasons: legal compliance and consumer trust. Google cannot list products from merchants who may be operating illegally or without transparency about data practices. Even if your business operates in a region without strict data protection laws, Google applies its privacy policy requirement globally to all merchants.

Specifically, if your website uses analytics tools (like Google Analytics), collects email addresses, has a checkout process, or shows personalized content, you are collecting personal data — and a privacy policy is required.

What Your Privacy Policy Must Include

Your privacy policy doesn't need to be written by a lawyer, but it does need to cover the basics that Google (and applicable laws) require:

1. What Data You Collect

Explain what types of personal data your website collects. Common examples include:

• Name and contact information (collected during checkout or contact form submissions)
• Payment information (clarify if you use a third-party payment processor like Stripe or PayPal, and that you don't store card data)
• Email address (for order confirmations, newsletters)
• IP address and browser data (collected automatically by web servers and analytics tools)
• Cookies and tracking data

2. How You Use the Data

Explain what you do with the data you collect. Common uses include:

• Processing and fulfilling orders
• Sending order confirmations and shipping updates
• Improving the website based on usage analytics
• Sending marketing emails (if applicable)
• Complying with legal obligations

3. Third-Party Data Sharing

Disclose any third parties that receive your customers' data. This includes shipping companies, payment processors, email marketing platforms, and analytics services. For each, briefly explain why data is shared and how those parties use it.

4. Cookies

If your website uses cookies — which almost all websites do — explain what cookies are used, why they are used, and how visitors can control cookie settings. This is especially important for EU visitors under GDPR.

5. Data Retention

Explain how long you keep personal data and when you delete it. For example: "We retain order information for 7 years to comply with tax regulations. Email marketing contacts are removed if they unsubscribe."

6. User Rights

Tell users what rights they have regarding their data. Under GDPR (applicable to EU customers), users have the right to access, correct, delete, and restrict the processing of their data. Even if you don't serve EU customers, including these rights is good practice and builds trust.

7. Contact Information for Data Queries

Provide a way for users to contact you about data privacy matters — typically an email address. This is often the same as your general business contact email.

8. Policy Update Date

Include the date the policy was last updated. This shows Google and users that your privacy policy is maintained and current.

Where to Place Your Privacy Policy

Google's reviewers look for the privacy policy in specific locations on your website:

Dedicated Privacy Policy Page

Create a dedicated page for your privacy policy (e.g., /privacy-policy.html or /privacy). This makes it easy for Google to find and index the policy, and gives users a clean URL to reference.

Footer Link

Add a link to your Privacy Policy in your website footer. The footer appears on every page, so this ensures the privacy policy is accessible from anywhere on your site. Use clear link text like "Privacy Policy."

Checkout Page Reference

Many ecommerce platforms automatically include a privacy policy link during checkout. If yours doesn't, add one. This is especially important when customers are about to submit personal and financial data.

Cookie Banner / Consent Notice

If you serve EU customers (or anyone under GDPR), your cookie consent banner should link to your privacy policy. This is both a legal requirement and a signal of compliance that Google respects.

Step-by-Step: How to Fix the Missing Privacy Policy Issue

Step 1: Write or Generate Your Privacy Policy

If you don't have a privacy policy, you have several options:

• Write one yourself using the sections described above as a guide. This is perfectly valid and many small businesses do this.
• Use a free privacy policy generator — there are many reputable tools online that generate a basic privacy policy from your answers about your data practices. Always review the output to make sure it matches your actual practices.
• Hire a lawyer — for businesses handling sensitive data or operating in strictly regulated jurisdictions, professional legal help may be worth the investment.

Step 2: Create a Dedicated Privacy Policy Page

Add the privacy policy to a dedicated page on your website. The URL should be intuitive, such as /privacy-policy or /privacy.

Step 3: Link It in Your Footer

Add "Privacy Policy" as a link in your footer, pointing to your new page. Verify that the link works and the page loads correctly.

Step 4: Verify It's Crawlable

Make sure your privacy policy page is not blocked in your robots.txt file and is not protected by a login or password. Google needs to be able to visit and read the page.

Step 5: Check Google Merchant Center Business Information

In Google Merchant Center, navigate to Business Information > Policies and verify that you have a privacy policy URL entered there. This should match your live privacy policy page URL.

Step 6: Submit Your Reinstatement Appeal

When writing your appeal, specifically mention that you have added a privacy policy. For example: "I have created a comprehensive privacy policy page at /privacy-policy.html, covering data collection, use, third-party sharing, cookies, and user rights. This page is linked in the footer on every page of the website and referenced during checkout." For more guidance, see our appeal writing guide.

Common Privacy Policy Mistakes

Copying Another Business's Privacy Policy Word-for-Word

A privacy policy that references a different business name, incorrect data practices, or inapplicable laws can actually hurt your case with Google reviewers. If you use a template, thoroughly customize it to reflect your actual business operations.

Privacy Policy Not Accessible to Crawlers

If your privacy policy page is blocked by robots.txt or requires a login to view, Google cannot verify it exists. Always test that the page is publicly accessible without any login or account.

Privacy Policy Only in a Modal or Pop-Up

A privacy policy that only appears as a pop-up or inline modal (without its own URL) may not be indexed by Google. Always have a dedicated, indexable page with a permanent URL.

Outdated Privacy Policy

A privacy policy that hasn't been updated in several years, or that doesn't mention modern tools you use (like Google Analytics 4, Facebook Pixel, or specific payment processors), may not satisfy Google's reviewers. Keep your policy current.

Privacy Policy and GDPR/CCPA Compliance

If you sell to customers in the EU or California, your privacy policy must also comply with GDPR (General Data Protection Regulation) or CCPA (California Consumer Privacy Act) respectively. Key additional requirements under these laws include:

• GDPR: Legal basis for processing, data subject rights (access, deletion, portability), DPO contact information if applicable
• CCPA: Right to opt out of data sale, right to know what data is collected and why, non-discrimination for exercising rights

While Google doesn't audit your GDPR/CCPA compliance directly, having a policy that addresses these frameworks demonstrates seriousness about data protection and strengthens your reinstatement appeal.

Related Policy Issues to Check

Privacy policy is often one of several policy issues present when an account is suspended. Before appealing, also check:

• Missing return policy
• Missing contact information
• Missing shipping policy
• Complete Google Merchant Center suspension fix checklist

Frequently Asked Questions

Does my privacy policy need to be written by a lawyer?

No. For most small and medium businesses, a well-written DIY privacy policy or one generated from a reputable template tool is sufficient for Google's requirements. However, if you operate in heavily regulated industries (healthcare, finance) or jurisdictions with strict enforcement, legal advice is recommended.

Can I use the same privacy policy page for multiple stores?

Only if the policy accurately describes the data practices for all stores. Each Google Merchant Center account is tied to a specific domain, so your privacy policy page must be on the same domain as the store you're trying to reinstate.

My website already has a privacy policy — why was my account suspended?

Several possibilities: the policy may not be easily accessible (no footer link), it may be blocked from Google's crawlers, it may be hosted on a different subdomain than the store, or it may lack key required content. Review it carefully against the requirements listed above.