Complete Guide: Privacy Policy for Google Merchant Center Approval

Key Elements Your Privacy Policy MUST Include

1. Business Identity (CRITICAL)

Must clearly state:

• Business name
• Website URL
• Contact email
• Physical address (if possible)
• Business registration details (company number or legal entity info, if applicable)
• Customer support availability (response time, support hours, or support channels)
• Clear ownership/operator disclosure (who runs the business or is the responsible entity behind the website)

Missing this = Misrepresentation flag

Also include: last updated date of the policy, and a dedicated policy version number if you update it regularly. Google flags outdated or undated policies as trust risks.

2. What Data You Collect

Be explicit. Mention:

• Personal info: name, email, phone
• Address & billing info
• Payment data (via third-party processors)
• Device data (IP, browser, cookies)
• Order history and transaction details
• Account login credentials (if user accounts are created)
• Communication data (emails, chat messages, or support inquiries)

If you use remarketing pixels (e.g., Google Ads tag, Meta Pixel), you must disclose that behavioral/advertising data is also collected. Omitting this is a direct Google policy violation.

3. How You Use Data

Clearly explain:

• Order processing
• Shipping & delivery
• Customer support
• Marketing (email/SMS – ONLY if applicable)
• Payment processing and fraud prevention
• Legal compliance and regulatory requirements
• Website improvement and analytics (performance tracking and user experience optimization)

4. Third-Party Services (VERY IMPORTANT)

Mention services like:

• Payment gateways (Stripe, PayPal, etc.)
• Analytics tools
• Advertising platforms (like Google Ads)
• Shipping and logistics providers (couriers, fulfillment partners)
• Email/SMS marketing platforms (newsletter or automation tools)
• Customer support or CRM systems (live chat, helpdesk software)

Not mentioning third parties = trust issue

For each third-party processor, ideally name them specifically (e.g. “We use Google Analytics to track website usage”). Generic statements like “we use analytics tools” are increasingly flagged by Google as insufficiently transparent.

5. Cookies & Tracking

You must disclose:

• Cookie’s usage
• Tracking technologies
• Analytics usage
• Purpose of cookies (e.g., site functionality, personalization, performance tracking)
• User consent and cookie control options (accept/reject/manage preferences)
• Third-party tracking tools (e.g., advertising pixels, remarketing scripts)

If you operate in the UK or EU, a cookie consent banner is legally required under PECR/privacy rules — not just a privacy policy mention. Your policy should reference that a cookie consent mechanism is in place on your website.

6. Data Protection

Explain:

• How do you protect user data?
• Security measures (SSL, encryption, etc.)
• Access control (who inside the business can access user data)
• Secure storage practices (protected servers, secure databases, limited retention)
• Breach response procedure (how users are notified in case of a data leak or security incident)

Specifically state that your website runs on HTTPS/SSL. Google Merchant Center checks for this independently – an unsecured site will be suspended regardless of policy quality.

7. User Rights

Include:

• Access to their data
• Request deletion
• Opt-out of marketing
• Right to correct or update personal information
• Right to data portability (request a copy of their data)
• Right to withdraw consent at any time (especially for marketing or cookies)

8. GDPR / CCPA Compliance Standards

What This Section Must Include in Your Privacy Policy:

• Explicitly state which regulations govern your store (GDPR for the EU, CCPA for California, PDPA for Thailand/others).
• Declare the lawful basis for processing personal data (e.g., contractual necessity, legitimate interest, or user consent).
• If you collect data from EU residents, appoint or name a Data Protection Officer (DPO) or a designated privacy contact.
• For CCPA: disclose whether you sell or share personal information, and honor the ‘Do Not Sell My Personal Information’ right.
• State that users have the right to lodge complaints with the relevant supervisory authority (e.g., ICO in the UK, CNIL in France).
• Include the legal jurisdiction and governing law for your privacy practices.

Without regulatory compliance disclosure, Google considers your policy legally insufficient, increasing the risk of account suspension in markets in the EU or the USA.

9. Data Retention Timelines

What This Section Must Include in Your Privacy Policy:

• Specify how long each data category is retained before deletion or anonymization.
• State that data is deleted upon request or after the stated retention period, whichever comes first.
• Explain why each retention period is necessary (e.g., legal obligation, tax records, fraud prevention).
• Clarify what happens to data when a user closes their account or requests erasure.
• Note any legally mandated minimum retention periods (e.g., financial records kept for 7 years).

Policies without retention timelines are considered incomplete data transparency – a direct trust signal failure that can lead to a Merchant Center suspension.

10. Contact Information

Must be:

• Visible
• Real
• Working
• Multiple contact channels (email, phone, contact form, or live chat)
• Response timeframe (expected reply time for customer inquiries)
• Dedicated support section or department (e.g., “Customer Support Team”)

Google actively verifies that contact details are reachable. A contact form alone is insufficient – include a real email address. A phone number, while not mandatory, significantly increases trust score in Google’s review.

What Causes Suspension (Don’t Ignore This)

These are the top reasons most e-commerce and business owner stores fail:

• Fake or copied privacy policy
• No business identity
• No mention of data usage
• No contact info
• Mismatch between website & policy
• Hidden or hard-to-find policy page
• Misleading product or pricing information
• Missing or unclear refund and return policy
• No shipping details or unrealistic delivery claims
• Broken website links or incomplete pages
• Website not secured (no HTTPS/SSL)
• Inconsistent information across pages
• Out-of-stock or unavailable products are listed as available
• Use of copyrighted or stolen content/images
• Prohibited or restricted products are listed
• Poor website navigation or an incomplete checkout process
• Fake reviews or misleading trust signals
• No clear terms & conditions page
• Suspicious or duplicate business information across the web

ADDITIONAL SUSPENSION CAUSES (frequently missed):

→ Policy page not linked in the website footer on every page – Google crawls footer links to verify policy accessibility.

→ Policy hosted on a subdomain or third-party URL that doesn’t match your store domain – raises misrepresentation flags.

→ Return address listed in policy does not match a verifiable business location.

→ Currency or pricing shown in policy or checkout does not match the target market (e.g., USD shown to UK customers).

→ No clear indication of which country’s laws govern the policy – jurisdiction must match where your business is registered.