The Lemmy federation is not a single legal entity; it's a collection of servers operated by different people. This means that Lemmy as a whole cannot have a privacy policy β but a single server instance might.
For example, the lemmy.world instance has a link at https://lemmy.world/legal which directs you to the policies at mastodon.world, which is operated by the same person. The privacy policy is here.
This is similar to email. There's nobody in charge of all of email, so there's nobody who can set a policy for all of email. But a specific email provider, like Hotmail or Gmail, certainly can & do have policies.
Most Lemmy instances are run by individual volunteers as a personal hobby, rather than being run by businesses professionally. As such, they might not be covered by privacy laws such as ~~the EU GDPR (which doesn't apply to personal activity) or~~ California CCPA (which only applies to for-profit activity). (Edited; see below)
Of course, if anyone wants to run a Lemmy instance commercially β or if an existing business decides to run their own, professionally β they would be covered by these laws.