To stay compliant with privacy laws and continue to operate transparently, you need to make privacy policy updates and notify your users of these changes.
As you already know, you’re required to have a privacy policy (use a website privacy policy template or an email privacy policy template to make sure you cover the necessary sections) to meet legal privacy standards. But many companies fail to maintain an updated privacy policy — compromising their compliance and undermining user trust.
When you make privacy policy changes, notify your users in order to stay compliant with laws and regulations, and to develop a strong rapport with your customers.
1. Why Make Privacy Policy Changes
The ecosystem of business — particularly online business — is not static. Changes are often made to forecasts, models, and business plans in order to better suit the company’s needs. These changes are based on critical growth assessments and fiscal performance reviews.
As with all company practices and policies, it is essential to periodically review your privacy policy to ensure that it’s up-to-date and still an accurate reflection of your current way of doing business.
Every time you change the functionality of your website, you should review your policy and consider whether it still adequately addresses your data collection practices. If you add a new payment option to your online store, for example, or overhaul your platform — which may collect user information in a different way — you need to review and possibly update your privacy policy.
If you make any changes to your policies, make sure you also keep a records of those changes.
Similarly, if state or federal laws change, you are obligated to comply and must ensure that your policy is consistent with the new legal mandates.
2. Why You Should Inform Users About Changes to Your Privacy Policy
Depending on the kind of information you collect, your privacy policy will be governed by state and/or federal laws. You may be required to provide notification of any changes you make to your legal policies.
It also makes good business sense to incorporate privacy by design and create an atmosphere of transparency with your customers in order to gain their trust.
1. You Want to Avoid Legal Challenges
You are legally required to have a privacy policy if your site collects personal information from customers. Personal information includes birthdates, names, email addresses, and phone numbers.
This requirement is the result of state laws such as the California Online Privacy Protection Act (CalOPPA), which applies to any website that gathers information from California consumers, regardless of the location of the business.
The FTC’s Gramm-Leach-Bliley Act also governs privacy and the collection of financial data — including credit card information. Failure to comply with state or federal laws can result in serious legal sanctions against your business.
Federal legislation also prohibits engagement in deceptive business practices. If you change your privacy policy and do not let anyone know, you have not fulfilled your obligation to your consumers.
Changing the rules without notice can be framed in court — and in the public eye — as a deceptive practice and companies who do not abide by their own privacy policies risk a lawsuit brought by their state’s attorney general.
2. You Want to Avoid Public Backlash
Increasingly, internet users are becoming more conscious of the information they share online. While much focus in the U.S. and internationally regarding online privacy law is on personally identifiable information, concerns are also frequently raised about aggregate data that is collected and sold in order to streamline marketing efforts.
Legal protections for this kind of information were supposed to come into effect this fall, but the Washington Post reported in March that the proposed protections have been halted by the new administration.
In order to earn trust with customers, it is crucial for businesses to be transparent about their use of information. The Small Business Administration recommends that your privacy policy include descriptions of how you use cookies — identifiers that track user history — and about the information that is collected, stored, or sold.
Customers should have easy access to a contact form for any questions or complaints.
3. You Market to Children
Your responsibility is particularly serious if your website attracts or markets specifically to children. Data collected from users under the age of 13 is subject to federal legislation implemented to protect them and their interests.
If you are updating your website with anything that remotely relates to children under 13, perform a critical review of your privacy policy language and make sure it complies with the Children’s Online Privacy Protection Act (COPPA).
4. It’s About Trust
At the end of the day, maintaining trust with your users is what will keep you in business. In the world of online business, your customers rarely have voice-to-voice or face-to-face contact with a real person who works for your business. Your trust is built almost entirely on the promises you make through the text and images on your site, and how well you keep those promises.
Regardless of whether it is a legal requirement, being upfront about how you handle user data is one way to develop long-lasting customer relationships.
3. How You Can Notify Users About Updates to Your Privacy Policy
After you have drafted your updated privacy policy, it is essential to let your users know in a way that makes them aware of the changes. If you have an email list of customers, send an updated privacy notice when the policy is in place or in advance of planned updates.
If you run a site which has regular users who may need time to transition off of your site if they do not agree to your new policy, you should offer them the courtesy of advanced notice of at least a couple of weeks.
You can also create a blog post or addition to your site’s news section. Place a banner on your site’s home page and/or a pop-up that lets people know about the new policy before they begin to interact with the site. That way, they have the opportunity to leave if they find the changes unacceptable.
Your notification email or pop-up should include a link to the complete text of the new privacy policy. Ideally, you also want to include a point-form snapshot of key changes. That way, in the event of a legal challenge, you can make the argument that users were not only informed of the policy updates, but you made the information accessible and easy to comprehend, as well.
4. Why Update a Privacy Policy
Now and then, you may notice your email inbox flooded with “we’ve updated our privacy policy” messages. While the occasional privacy policy update email likely just means the company has changed its policies, a sudden onslaught of updates and accompanying notifications usually means one thing — a new privacy law.
While privacy laws have been around for decades, the introduction of legislation like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) has ushered in a new privacy landscape. With growing public concern over user data and data hacking on the rise, laws are being passed around the world every year to better regulate digital data handling.
So, why exactly is updating their privacy policies year after year? In short, they have to — and you probably do too.
The majority of privacy laws establish new standards for privacy policies. So when a new law or regulation comes to pass, one of the first steps you need to take to stay compliant is to update your privacy policy and notify users of the changes.
To stay ahead of the curve with privacy policy updates, here’s a table of the most recent and upcoming laws that have triggered (or are soon to trigger) mass policy update campaigns:
| Law/Regulation Name: | Effective Date: | Summary: |
| GDPR | May 25, 2018 | The GDPR is a European data protection law designed to give individuals more control over their personal information, and the opportunity to interact safely with online platforms. |
| CCPA | January 1, 2020 | The CCPA outlines new standards for data collection, new consequences for businesses that fail to protect user data, and new rights that California consumers can exercise over their data. |
| ePrivacy Regulation | TBD | The regulation seeks to set privacy standards regarding electronic communications – and the metadata associated with the electronic communications – of European citizens. |
