Even though all privacy policies seem similar at first glance, they actually require a lot of work to create and customize because businesses collect, process, and use personal information in unique ways.
Plus, different laws and regulations apply to different entities.
Let’s dive into them.
- Spending Too Little Time Preparing
- Misstating Your Data Processing Activities
- Misunderstanding What Laws Apply to Your Business
- Using Complicated Language
- Not Reviewing Carefully
- Not Getting Clear Consent From Users
- Misplacing It on Your Site or App
- Using a Non-Reputable Generator or Template
Spending Too Little Time Preparing
Don’t get me wrong, I understand why business owners sometimes do this — we all want the process of creating necessary legal documents to be quick, easy, and painless.
Specifically, you must determine:
- What data privacy laws apply to your business?
- What personal data does your website, app, or platform collect from users?
- Why do you collect the data, and how do you use it?
- How will you store the data to keep it safe and secure?
- Do you share the data with any third parties (and do they follow the same privacy guidelines as your business)?
Privacy policies are living documents that must accurately reflect your current data collection and processing activities. Otherwise, it directly violates data privacy laws and misleads the people who visit and use your platform.
Other laws, including the General Data Protection Regulation (GDPR), hold you financially accountable if your policy details are inaccurate or inconsistent with reality.
When it comes to your consumers, trust me, you don’t want to lose their trust — look at these alarming data privacy statistics:
- 39% of users would likely turn away from a company that required them to provide highly personal information. (Akamai)
- 48% of users have stopped buying from a company over privacy concerns. (Tableau)
- 33% of users have terminated relationships with companies over data. (Cisco)
- 71% of the world’s countries now have data privacy legislation in place, and another 9% have drafts moving through their governments. (UN)
See precisely what he had to say.
Misstating Your Data Processing Activities
Believe it or not, that’s not even the largest GDPR fine ever issued.
Attorney Nadine Talaat Issues the Same Warning
When we spoke with data privacy expert and attorney Nadine Talaat about the top mistakes business owners should avoid when making their privacy policies, she immediately mentioned misstating privacy practices.
Read exactly what she had to say on the matter below.
Misunderstanding What Laws Apply to Your Business
Most data privacy laws have broad scopes and affect businesses outside the regions where the legislation is in force. In other words, companies not located in Europe still fall under the GDPR, just like entities outside of California can fall under the jurisdiction of the CCPA.
When determining the data protection legislation that affects your company, it may also help if you answer the following questions:
- What jurisdiction are you in?
- Where are your customers located?
- What industry or industries are you in?
- Are there any industry-specific laws you must comply with?
Below, I included the legal threshold for 12 of the most significant data privacy laws worldwide and details about the penalties for violating those laws.
Read through these carefully and take note of the ones that apply to you.
|Data Privacy Law||Legal Threshold||Penalties for Violating the Law|
|General Data Protection Regulation (GDPR)||Any organization that collects, processes, or stores the personal data of individuals located in the European Union (EU) or European Economic Area (EEA).||
|The Data Protection Act (UK GDPR)||Any organization offering goods or services to UK citizens that processes their personal data.||
|Amended California Consumer Privacy Rights Act (CCPA/CPRA)||For-profit entities that do business in California and meet one of the following:
|California Online Privacy Protection Act (CalOPPA)||Any website with California visitors falls under the threshold of this law.||
|Virginia Consumer Data Privacy Act (VCDPA)||Entities doing business in Virginia or targeting Virginia residents who meet one of the following:
|Connecticut Data Protection Act (CTDPA)||Any data controller or processor who conducts business in Connecticut or produces products or services targeted at Connecticut consumers and any controller or processor who meets one or more of the following:
|Colorado Privacy Act (CPA)||Controllers that conduct business in Colorado or who produce or deliver commercial products intentionally targeted to Colorado residents that meet one (or both) of the following:
|Children’s Online Privacy Protection Act (COPPA)||Any website or online service that is directed to children under 13 that:
|Personal Information Protection and Electronic Documents Act (PIPEDA)||Any organization that collects and uses personal information in connection with commercial activities, including selling or sharing donors, membership, or fundraising lists, falls under PIPEDA.||
|Australia’s Privacy Act of 1988||Any Australian government entities or organizations that have annual gross revenue of $3 million and small businesses that make less than $3 million who meet any of the following:
|New Zealand’s Privacy Act of 2020||Any person, organization, or business in the public or private sector that collects and holds personal information about other people.||
|South Africa’s Protection of Personal Information Act (PoPIA)||Any entity registered to South Africa that processes personal data or people from any location.
And any entities located outside of the country who outsource their data processing to South Africa.
Using Complicated Language
Some legislation, including the GDPR, states that entities with privacy policies not written in plain language violate the law. This requirement ensures transparency so everyone can read and understand what’s happening to their personal information and their rights over their data.
Similarly, you should avoid writing large text walls with convoluted run-on sentences.
Not Reviewing Carefully
Ensure you read through it and check for errors, inconsistencies, or anything you may have skipped or left out. You should also double-check it for grammar issues and verify its readability.
Not Getting Clear Consent From Users
Depending on what privacy laws you fall under, you may need to obtain explicit, affirmative opt-in consent from users before data collection occurs. This requirement is notably the case with the GDPR if consent is one of your legal basis for processing personal information.
I typically recommend using a checkbox — just be sure it’s unmarked, as pre-ticked checkboxes are not GDPR-compliant.
Misplacing It on Your Site or App
You should always plan to post your policy in more than one spot, but the precise locations depend on what laws your business falls under.
For example, under the CCPA, you must present your users with a notice at or before the point of collection. If you store personal information during the checkout process, you must provide a link to your policy on your checkout page.
- The footer of your website
- A static menu in your app
- Payment screens or checkout pages
- New user account creation pages
- In your marketing emails
- Content submission forms — if you allow users to post their creations
- On any forms that collect personal information from users
Using a Non-Reputable Generator or Template
- 🚩 There are no questions about where your users are from: Knowing where your users are located helps determine if your business falls under certain data privacy laws. If a generator isn’t asking you for this information, they’ll likely miss necessary laws you may need to follow.
- 🚩 There aren’t many questions for you to answer: If a generator or template feels very short, it may be because it’s missing essential clauses and elements necessary for achieving full legal compliance. Be wary of any super short policies, as they’re likely incomplete.
- 🚩 They don’t ask about your use of internet cookies: Internet cookies qualify as personal information, and many data privacy laws require you to allow users to opt out of things like targeted advertising, often done by placing internet cookies on your users’ browsers. If a template or generator doesn’t have anything about cookies in it, then it’s probably incomplete.
Trust me, it’s worth putting in the extra effort now to avoid those hefty fines and public backlash in the future.
DISCLAIMER: All information, content, materials, and quotes presented in this article are for general informational purposes only and do not, and are not intended to, constitute legal advice. Information on this page may not constitute the most up-to-date legal or other information.