Privacy policies are so important and widespread that they are, ironically, easy to ignore. But this would be a mistake, because having an accurate, up to date privacy policy is one of the easiest ways to protect yourself from lawsuits or enforcement actions.
Along with all the other ways you might run into trouble, the FTC has a long history of including privacy policy infringements when it builds a case against a company, and continues to actively enforce those issues. European authorities can be even more aggressive in today’s GDPR world.
Fortunately, for most organizations it’s relatively easy to avoid these ten common privacy policy mistakes:
1. Burying the Policy
It’s common to hide a privacy policy link in small print at the very bottom of your web pages—or worse, not even link to it on most pages at all. While you don’t need to put the policy front-and-center for your web visitors, it does need to be easy to find.
On pages where you’re actively collecting user data like email addresses or payment information, the privacy link needs to be immediately visible from the same screen as the collection forms themselves.
2. Copying Another Privacy Policy or Relying on Boilerplate
While it seems like common sense to avoid this tactic, many companies literally copy/paste a competitor’s privacy policy and call it a day. But even when you’re making use of a convenient policy generator tool, it’s important to ensure the policy is relevant to your website. If you’re starting from a pre-written policy, go through line-by-line to make all information relevant to your website, along with adding any missing clauses that should be present.
3. Failing to Ask for Consent
The days of opt-out are over. Active opt-ins are an important legal protection, especially within sales or sign-up pages. It’s usually best to prompt first-time visitors with an immediate pop-up requiring them to consent to all relevant policies, including privacy, cookies, and other info.
4. Using a Single Policy for Multiple Types of Users
If your website is used by multiple categories of users, you need to have a privacy policy for each. While you could dump every policy onto a single page, the text would be very complicated to read—perhaps illegally so, depending on the situation. For that reason, it’s best to maintain separate policies for categories like consumers, vendors who log-in to your site, and other partners. But even if you keep the policies on a single page, make sure every section is tailored to all user-types.
5. Obsolete and Neglected Privacy Policies
Privacy policies are definitely not a “set it and forget it” concern. Even if nothing has changed about your business itself, it’s a near-certainty that regulations or requirements will have shifted over the years, so it’s important to keep current. If you’re not auditing and reviewing your policy at least once per year, it’s probably already outdated in some way.
6. Failing to Understand GDPR Ownership Requirements
Many organizations think that being based in the United States means they’re not subject to the European Union’s GDPR stipulations. However, the GDPR is explicitly written to be “attached” to users, not businesses. That means if even a single EU citizen accesses your website, you’re technically liable for GDPR enforcement. Additionally, remember that the GDPR takes a very broad view of what qualifies as personal data, so your policy needs to cover any type of identifiable user information that’s relevant.
7. Being Vague or Incomplete About Collected Information
It’s not enough to say you’re collecting information, you also need to precisely detail each type of information that’s collected, whether email, social handles, or even a simple name. If your business changes and you begin collecting a new data type, that also needs to be added to your policy.
8. Failing to Explain How You Use and Share Data
Each category of collected information should have an attached clause explaining how you use that data. Also, it’s important to explicitly identify any and all partners who the data might be shared with, even if their own privacy policy covers the issue too. Blanket phrases like, "data may be shared with outside partners" are not likely to hold up under scrutiny or enforcement.
9. Neglecting Third Party Requirements
Make sure your policy includes any clauses required by third party partners. Notably, Facebook Pixel and Amazon Affiliates both require you to mention their use in your own privacy policy, though you can link users to their own policies for in-depth explanations. Check with all third party tools to see if they require similar steps.
10. Not Including Privacy Contact Information
Users need to be able to raise any questions or concerns about the privacy policy, so make sure you’ve designated a specific contact person or department, then include the email address or contact link in the policy itself.
Stay Compliant and Stay Protected
Privacy policies are your best insurance against complaints or enforcement, so keeping yours accurate and up to date should be a core business priority. Fortunately, most mistakes relate to outdated or incomplete policies, so as long as you’re regularly reviewing yours to ensure its current, you can protect yourself from negative consequences now and in the future.