Seoxpert.io
Get started
highPrivacy & Compliance

Privacy Policy Does Not Disclose US Data Transfers (Schrems II)

Privacy policy omits required disclosure of EU→US data transfers and transfer mechanisms (SCCs/DPF) for US-hosted services.

By Seoxpert Editorial · Published

Why it matters

Failure to disclose international data transfers, as required by Schrems II, can result in regulatory penalties and loss of user trust. Search engines may flag non-compliant sites, affecting visibility. Users expect transparency about where their data is sent and under what safeguards.

Impact

Omitting this disclosure exposes the site to legal risk and possible enforcement actions under GDPR.

How it's detected

Automated analysis detects scripts transferring data to US services and scans the privacy policy for required transfer disclosures and mechanisms.

Common causes

  • Privacy policy templates not updated post-Schrems II
  • Lack of awareness about data flows to US vendors
  • Omission of Standard Contractual Clauses or DPF references
  • Failure to audit third-party scripts for data transfer

How to fix it

Update your privacy policy to include a section listing all US-based processors (e.g., Google Analytics, Meta Pixel) and state the transfer mechanism used (Standard Contractual Clauses or EU-US Data Privacy Framework certification). Ensure this section is clear, specific, and kept current as your vendors or legal bases change. Link to relevant SCCs or DPF details where appropriate.

Code examples

Before: Missing US transfer disclosure

We use Google Analytics to analyze website traffic.

After: Proper US transfer disclosure with mechanism

We use Google Analytics (Google LLC, USA). Personal data may be transferred to the USA under the EU-US Data Privacy Framework or Standard Contractual Clauses. More information: https://policies.google.com/privacy/frameworks

FAQ

What should be included in the privacy policy for US data transfers?

List all US-based processors, specify the transfer mechanism (SCCs or DPF), and provide links to relevant documentation.

Is it enough to mention Google Analytics without transfer details?

No. You must explicitly state that data may be transferred to the US and under which legal mechanism.

Do I need to update my privacy policy if I add a new US vendor?

Yes. The privacy policy must always reflect current data transfer practices and mechanisms.

What is the EU-US Data Privacy Framework (DPF)?

The DPF is a lawful mechanism for transferring personal data from the EU to certified US companies.

Found this issue on your site?

Run a scan to see if Privacy Policy Does Not Disclose US Data Transfers (Schrems II) affects your pages.

Scan my website →