Even though privacy policies seem similar across the board at first glance, they actually require a lot of work to create and customize. Privacy policies need to accurately reflect what your company does and how your company can protect your customers’ data. Otherwise, you can be prosecuted for misstating your data processing activities and failing to protect user privacy adequately.
Spending Too Little Time on Drafting
Many small businesses don’t spend enough time drafting their privacy policies.
With so many resources on the internet, you may get tempted just to download a template and make simple changes, such as typing in your company name and address.
However, this is not the right way to use these templates. Templates are only meant to be a starting point.
If you choose to use a template or generator, you still need to ensure that the policy reflects what you do. For instance, if the template doesn’t have any clauses describing what you do, you should add them. Don’t just rely on the template’s existing clauses or copy what your competitors are doing. Even though it may seem like privacy policies are very similar to one another, they are not.
As a general rule, be as specific as possible about what information you’re collecting, whom you’re collecting the information from, and what rights consumers have regarding the data collection process.
Step 2: Answer our prompts and questions, and go through all of the steps until you reach “Final Details.”
“Set it and Forget it” Privacy Notices
Some laws also require annual reviews or updates depending on where you are. The California Consumer Privacy Act (CCPA), for instance, requires businesses to update the following sections of their privacy policies “at least once every 12 months”:
- The list of the categories of personal information collected from consumers in the previous 12 months
- The list of categories of personal information about consumers that the business has sold in the previous 12 months or, if applicable, a statement that the business has not sold personal information in the previous 12 months
- The list of categories of personal information about consumers that a business has disclosed for business purposes in the previous 12 months, or if applicable, a statement that it has not disclosed personal information for these purposes in the past 12 months
- The description of a consumer’s rights and how they can submit requests
Each law has its own requirements for what you need to update and when, so be sure to do proper research before updating your privacy notice.
If you’re using a template or generator to create your policy, you should note that not all websites update their templates or generators. So, for example, while Termly’s free generator is constantly updated to reflect the latest laws, don’t just rely on our updates.
Misstating Your Data Processing Activities
- What kind of data you process
- Whether you sell data
- Your data transfer mechanism
- Your security practices to protect data and prevent data theft and breaches
Misunderstanding What Laws Apply to Your Business
Before you start drafting your privacy notice, you also need to understand which laws apply to your business. Ask yourself the following questions:
- What jurisdiction am I in?
- What industry or industries am I in?
- Are there any industry-specific laws I need to comply with?
Even if you are in a particular jurisdiction — say, California — it doesn’t mean that every privacy law in your jurisdiction instantly applies to your company. The CCPA, for instance, only applies to a business that meets one or more of the following requirements:
- Buys, receives, sells, or shares for a commercial purpose the personal information of 50,000 or more California residents
- Has an annual gross income of more than $25 million
- Makes 50% or more of its annual income from selling personal information
If your business doesn’t meet the CCPA threshold, there’s no need to say that you are compliant with the CCPA. Saying you are compliant with the CCPA even if it doesn’t apply to you is not as harmless as it seems — rather than covering your bases, doing so can land you in hot water. Not only is it considered misstating your data processing activities, but authorities and regulators may also hold your company to CCPA standards — even if you don’t have to comply with CCPA standards because of your company’s size and practices.
Keep in mind that the CCPA is only one example of a law that has a threshold analysis. Therefore, you need to conduct thorough research to determine what laws apply to your business.
Writing the Policy Too Narrowly or Not Thinking Ahead
It’s a good idea to write your policy more broadly and to think ahead in order to craft a comprehensive privacy notice for your company.
Writing too narrowly could put you at a greater risk of making a deceptive statement since your company can change from time to time. This will also prompt you to update your policy more often than needed, leading to wasted time and energy.
You should craft your policy with language that leaves a little room for your processing activities to change over the next couple of months. For example, if you know that you’re going to be using data in a new way in a few months, you should think about how to make room for this development in your policy. That way, you won’t have to update your privacy notice every time you make a little change.
As a reference, take a look at Termly’s policy generator and the sample contract you can generate with it using the “preview” button. It’s written to allow you to describe current and near-future practices without including overly narrow or deceptive language. At the same time, the language we use makes sure that the contract is transparent enough to satisfy European requirements such as the GDPR.
Using Too Much Legalese
We are often tempted to make our privacy notices more complex than they need to be out of a desire to look more “professional.” As such, we end up filling our policies with technical and legal jargon that only lawyers understand, such as:
- Breach of contract
- Act of God
- Duty of care
- Caveat emptor
Notice how Google uses short sentences and multiple headings to guide the reader. It has also used bullet points to break down more complicated points and employs a friendly and relaxed tone, so readers aren’t on edge.
Not Reviewing Carefully
Make sure you’re following the advice laid out in this article as you build your privacy notice, and pay particular attention to how you’re representing your business. Otherwise, you may create various problems for yourself down the line, especially if you:
- Spend too little time drafting your contract
- Misstate your data processing activities
- Misunderstand what laws actually apply to your business
- Write your policy too narrowly