Oh, you think no one reads privacy policies? You think no one cares that you’ve been using the same one since 2011? Well, the law cares.
There’s a high chance that at least one of those laws impacts your business.
And, as it turns out, your customers care, too. Just look at the recent data privacy statistics:
- 67% of internet users worldwide are more concerned with their online privacy than they’ve ever been. (LegalJobs.IO)
- Why Are So Many Privacy Policies Being Updated?
Why Are So Many Privacy Policies Being Updated?
But whenever a sudden onslaught of updates and accompanying notifications occurs, it usually means a new data privacy law has entered into action.
When you think about it, this makes sense — privacy laws establish the standards for privacy policies, so one of the first steps businesses take is to update, change, or amend their agreement and notify their users.
Doing so keeps you out of trouble with new or changing laws and shows your customers that you’re a privacy-literate, trustworthy company.
And, to be honest, asking your customers to agree to an old, outdated document that no longer reflects your privacy practices is, frankly, dishonest.
Just put yourself in your customers’ shoes — would you buy something from a website you don’t trust? Of course not.
This is especially vital for businesses because we live in a digital era. More and more people — business owners and shoppers alike — understand that their personal information gets tracked online, and they want to know where it’s ending up and what’s happening to it.
- General Data Protection Regulation (GDPR)
- UK GDPR
- ePrivacy Directive (EU Cookie Law)
- Amended California Consumer Privacy Act (CCPA)
- California Online Privacy Protection Act (CalOPPA)
- Virginia Consumer Data Protection Act (CDPA)
- Personal Information Protection and Electronic Documents Act (PIPEDA)
|Penalty for Violating the Law
|Any organization that collects, processes, or stores the personal data of individuals located in the European Union (EU) or European Economic Area (EEA).
|Any organization offering goods or services to UK citizens that processes their personal data.
|EU Cookie Law
|You must update your policy with new cookies or trackers your site uses, or else you could be fined for violating this law.
|The amended CCPA explicitly states that you must update your policy at least once every 12 months.
|For-profit entities that do business in California and meet one of the following:
|Any website with California visitors falls under the threshold of this law.
|You must present your users with an accurate policy reflecting your current privacy practices, or else you risk getting fined for violating this law.
|Entities doing business in Virginia or targeting Virginia residents who meet one of the following:
|You must follow all ten fair information principles, which includes openness about your personal data management practices. Dishonesty could lead to fines for violating this law.
|Any organization that collects and uses personal information in connection with commercial activities, including selling or sharing donors, membership, or fundraising lists, falls under PIPEDA.
If even just one applies to your business, you’ll need to set your website up for full compliance to avoid getting fined for violating the law.
But don’t worry, I know of a company that can help simplify the whole process for you — it’s Termly (Obviously! Who did you think I’d recommend?).
Privacy policies are living documents that you should review and update every few months — I like to add it as a talking point to our meeting agendas practically every quarter, just to be on the safe side.
But it’s particularly important to make changes whenever you modify the types of data you collect from users or adapt how you use that information.
Not only does this suggest that the business might not be compliant, but it also makes me wonder what else the company isn’t being transparent about.
It’s a best business practice (and a GDPR requirement) to incorporate privacy by design into your procedures and create an atmosphere of transparency with your customers regarding their data.
- Want to build trust and help your business avoid public backlash
- Target your goods or services to children
Build Trust and Avoid Public Backlash
Trust is not just a buzzword to me (and the rest of the Termly team). It’s a necessary part of collecting, processing and using personal data. To earn the trust of your customers, you must be honest with them about how you do all three of these things.
You also need to let them know if and when those processes change and what is explicitly different than before.
I’m not sure who needs to hear this, but your customers are not just graphs of data to use for marketing and advertising purposes — they’re just like you; they’re human beings who deserve to be treated with respect.
Respect means being transparent about what data you collect about them and explaining how and why you use that information.
You Market to Children
If you make any changes to your processing practices, you must update your policy immediately and inform the parents or legal guardians of those minors.
For example, the Children’s Online Privacy Protection Act (COPPA) protects data collected from users under 13 in the US.
Similarly, the amended CCPA also has stricter guidelines regarding how you obtain consent and if you can sell and share the data from underage users.
Update notifications are important because laws like the GDPR require you to re-obtain consent from individuals if you want to start collecting new information from them or use their data in ways not previously outlined in your agreement.
- Using a banner or pop-up notice
- Sending out an email update
- Creating a blog or news post
I know it’s tempting, but taking shortcuts isn’t worth it, especially when it comes to privacy compliance, so I recommend implementing more than one of these methods.
Just remember to change the ‘last updated’ date and include it somewhere on your final document so it’s easy for consumers to spot.
Now let’s go over each of these notification methods in more detail.
Banner or Pop-up Notice
It’s a good idea to implement the banner in a way that users will see it as soon as they come to your site, regardless of what page they land on.
Include a link to your new policy directly on the banner so anyone can easily read it. Explain what’s new using simple language so it’s accessible to as many different readers as possible.
Below, see an example of how the hotel Beaurivage MGM Resort inserted a banner on their site to inform users that they recently updated their privacy agreement.
There’s a chance not everyone will see it, especially since you probably won’t permanently leave the pop-up banner on your site. So use this method in combination with other notification solutions.
Remember to include a link to the complete text of the new policy and use simple language to explain what changes you’re implementing. If a legal challenge occurs, you can argue that your users were informed about the changes and had easy access to the new document.
Blog or News Post
Unlike the pop-up banner solution, blog posts live on your site forever, giving your customers more time to read about the changes you’ve made to your policy.
And, if a legal dispute arises, having a proper log of the past iterations of your policy can help you prove that you’ve implemented the appropriate updates and changes following relevant data privacy laws.
They continually add to this archive whenever another update occurs, which I recommend you also do.
- Using a managed solution
- Updating a free template
- Writing it yourself
Our generator asks you simple, relevant questions about your business’s data privacy processes and kicks out a legally compliant, thorough, and properly formatted policy for you based on your answers. No hassles, no fuss.
When it’s time to make a change, you simply pop back into the Termly dashboard anytime and make the updates directly in the builder.
You must manually fill in blank sections of a template with information about your business, so it requires more hands-on work.
But when it’s time to make some updates, you simply go back into the document, find the necessary clauses or features, and write in the new information yourself.
Writing It Yourself
But to make the process easier for you, I have a few tips and tricks:
I could — and often literally do — talk about privacy policies all day, so if you still have questions about updating yours, check out answers to some frequently asked questions on the topic below.
Why are all the privacy policies changing?
Privacy policies change when companies implement new privacy protocols or in an effort to abide by legal obligations.
Why did so many privacy policies update in 2018?
In 2018, the GDPR entered into force, and many businesses updated their privacy policies to meet the requirements outlined by the regulation.