Bolt Image

7 Common Privacy Policy Issues to Avoid

Masha Komnenic CIPP/E, CIPM, CIPT, FIP

by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

December 15, 2021

Generate an Issue-Free Privacy Policy
Privacy_Policy_Issues_to_Avoid

As regulators and consumers become savvier about privacy issues, according to recent data privacy statistics, you need to develop a thorough understanding of how to write a privacy policy. But unfortunately, creating a privacy policy is not as simple as you think it is, even if you’re using a privacy policy generator or template.

Even though privacy policies seem similar across the board at first glance, they actually require a lot of work to create and customize. Privacy policies need to accurately reflect what your company does and how your company can protect your customers’ data. Otherwise, you can be prosecuted for misstating your data processing activities and failing to protect user privacy adequately.

Read on to learn more about the seven privacy policy issues you should avoid.

Table of Contents
  1. Spending Too Little Time on Drafting
  2. “Set it and Forget it” Privacy Notices
  3. Misstating Your Data Processing Activities
  4. Misunderstanding What Laws Apply to Your Business
  5. Writing the Policy Too Narrowly or Not Thinking Ahead
  6. Using Too Much Legalese
  7. Not Reviewing Carefully
  8. Conclusion

Spending Too Little Time on Drafting

Many small businesses don’t spend enough time drafting their privacy policies.

With so many resources on the internet, you may get tempted just to download a template and make simple changes, such as typing in your company name and address.

However, this is not the right way to use these templates. Templates are only meant to be a starting point.

If you choose to use a template or generator, you still need to ensure that the policy reflects what you do. For instance, if the template doesn’t have any clauses describing what you do, you should add them. Don’t just rely on the template’s existing clauses or copy what your competitors are doing. Even though it may seem like privacy policies are very similar to one another, they are not.

In other words, two-minute privacy policies don’t exist. Don’t think of privacy policies as templates to customize; consider them as promises you make with your customers and potential customers. A privacy policy that does not describe what you currently do is arguably worse than no privacy policy at all.

As a general rule, be as specific as possible about what information you’re collecting, whom you’re collecting the information from, and what rights consumers have regarding the data collection process.

Use Termly to Save Time on Your Privacy Policy

Now that you have a clearer idea of how to approach drafting a privacy policy, here’s how you can use Termly’s generator to easily create a comprehensive privacy policy:

Step 1: Go to Termly’s privacy policy generator.

Step 2: Answer our prompts and questions, and go through all of the steps until you reach “Final Details.”

privacy-policy-termly-final-step-screenshot

Step 3: Once you’ve filled in everything and you are satisfied with the preview, click “Publish.” You will then be prompted to create an account on Termly so you can save and edit your privacy policy further.

“Set it and Forget it” Privacy Notices

Many businesses spend a lot of time and money on drafting the perfect privacy notice. However, don’t just forget about your privacy notice once you’ve finished drafting it. Your privacy policy needs to be updated at least once per year as your business changes.

Some laws also require annual reviews or updates depending on where you are. The California Consumer Privacy Act (CCPA), for instance, requires businesses to update the following sections of their privacy policies “at least once every 12 months”:

  • The list of the categories of personal information collected from consumers in the previous 12 months
  • The list of categories of personal information about consumers that the business has sold in the previous 12 months or, if applicable, a statement that the business has not sold personal information in the previous 12 months
  • The list of categories of personal information about consumers that a business has disclosed for business purposes in the previous 12 months, or if applicable, a statement that it has not disclosed personal information for these purposes in the past 12 months
  • The description of a consumer’s rights and how they can submit requests

Each law has its own requirements for what you need to update and when, so be sure to do proper research before updating your privacy notice.

If you’re using a template or generator to create your policy, you should note that not all websites update their templates or generators. So, for example, while Termly’s free generator is constantly updated to reflect the latest laws, don’t just rely on our updates.

If your business has changed and how you deal with consumers’ personal data has changed, you need to manually look through your privacy policy to see if you need to make any changes. Otherwise, your privacy policy won’t accurately reflect what your company does and offers.

Misstating Your Data Processing Activities

This is one of the most common privacy policy issues, particularly when you’re writing a policy based on what you think a policy should look like.

Instead of modeling your privacy notice after those of your competitors, you need to step back and think about what privacy policies your company actually has. Specifically, you should make notes about the following before drafting your privacy policy:

  • What kind of data you process
  • Whether you sell data
  • Your data transfer mechanism
  • Your security practices to protect data and prevent data theft and breaches

Otherwise, you can get in trouble. For example, in the United States, many laws prohibit deceptive statements such as misstating your data processing activities. As such, regulators are constantly looking for any incongruencies between a company’s actions and what its privacy policy actually says.

Fortunately, Termly’s privacy policy generator allows you to provide comprehensive information about what you do. In the “Use of Information” section, you can use our existing boilerplate clauses and add your own clauses to explain how you will use the information you collect.

termlys-use-of-information-generator-section

Misunderstanding What Laws Apply to Your Business

Before you start drafting your privacy notice, you also need to understand which laws apply to your business. Ask yourself the following questions:

  • What jurisdiction am I in?
  • What industry or industries am I in?
  • Are there any industry-specific laws I need to comply with?

Even if you are in a particular jurisdiction — say, California — it doesn’t mean that every privacy law in your jurisdiction instantly applies to your company. The CCPA, for instance, only applies to a business that meets one or more of the following requirements:

  • Buys, receives, sells, or shares for a commercial purpose the personal information of 50,000 or more California residents
  • Has an annual gross income of more than $25 million
  • Makes 50% or more of its annual income from selling personal information

If your business doesn’t meet the CCPA threshold, there’s no need to say that you are compliant with the CCPA. Saying you are compliant with the CCPA even if it doesn’t apply to you is not as harmless as it seems — rather than covering your bases, doing so can land you in hot water. Not only is it considered misstating your data processing activities, but authorities and regulators may also hold your company to CCPA standards — even if you don’t have to comply with CCPA standards because of your company’s size and practices.

Keep in mind that the CCPA is only one example of a law that has a threshold analysis. Therefore, you need to conduct thorough research to determine what laws apply to your business.

Writing the Policy Too Narrowly or Not Thinking Ahead

It’s a good idea to write your policy more broadly and to think ahead in order to craft a comprehensive privacy notice for your company.

Writing too narrowly could put you at a greater risk of making a deceptive statement since your company can change from time to time. This will also prompt you to update your policy more often than needed, leading to wasted time and energy.

You should craft your policy with language that leaves a little room for your processing activities to change over the next couple of months. For example, if you know that you’re going to be using data in a new way in a few months, you should think about how to make room for this development in your policy. That way, you won’t have to update your privacy notice every time you make a little change.

As a reference, take a look at Termly’s policy generator and the sample contract you can generate with it using the “preview” button. It’s written to allow you to describe current and near-future practices without including overly narrow or deceptive language. At the same time, the language we use makes sure that the contract is transparent enough to satisfy European requirements such as the GDPR.

You should also note that material changes to your privacy policy require notice. In other words, you’ll need to update users whenever you update your privacy policy to comply with laws and regulations, as well as to demonstrate that your business cares about its users’ privacy rights.

Informing your users about privacy policy updates will help you avoid future disputes. For example, suppose a user is dissatisfied with a particular part of your policy that you have changed recently and believes that your company practices are lacking privacy. In that case, you can remind them of the notice you sent them about the change. If you did not notify them of your changes, they could leave negative reviews or potentially take legal action.

Using Too Much Legalese

Another privacy policy issue to look out for is using too much legalese.

We are often tempted to make our privacy notices more complex than they need to be out of a desire to look more “professional.” As such, we end up filling our policies with technical and legal jargon that only lawyers understand, such as:

  • Breach of contract
  • Precedent
  • Act of God
  • Duty of care
  • Caveat emptor
  • Indemnity

This is such a common problem that the European privacy law — the GDPR — explicitly stated that privacy policies not using plain language are violating the law. This is to ensure transparency so that everyone can understand what privacy rights they have. Companies need to also consider the reading level of the intended audience. For instance, if your company deals with data related to children, then your privacy policy’s reading level should be accessible for such children.

A great example is Google’s privacy policy for children under 13, which addresses specific data privacy issues in a friendly yet professional tone:

what information does google collect privacy policy screenshot

how does google use the information privacy policy screenshot

Notice how Google uses short sentences and multiple headings to guide the reader. It has also used bullet points to break down more complicated points and employs a friendly and relaxed tone, so readers aren’t on edge.

Not Reviewing Carefully

Before diving into the privacy policy creation process, keep in mind that you should only use these generators and templates as starting points.

It’s tempting to just fill in the blanks of these templates and call it a day, but that won’t cut it. To create a comprehensive privacy policy, you must review your contract manually and thoroughly.

Conclusion

Make sure you’re following the advice laid out in this article as you build your privacy notice, and pay particular attention to how you’re representing your business. Otherwise, you may create various problems for yourself down the line, especially if you:

  • Spend too little time drafting your contract
  • Misstate your data processing activities
  • Misunderstand what laws actually apply to your business
  • Write your policy too narrowly

To ensure transparency, you should also consider making the privacy policy creation process simpler and more accessible to others by using plain language and avoiding legalese.

Masha Komnenic CIPP/E, CIPM, CIPT, FIP
More about the author

Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes... More about the author

Related Articles

Explore more resources Explore more resources