10 Common Issues with Privacy Policies
In early 2019, Texas-based Osano began publishing a list of what it called the "data privacy misleaders board." The list includes companies that have both the worst Privacy Policies and general transparency for their users based on in-depth reviews by Osano and a team of 24 lawyers.
The list includes some obvious companies like Snapchat and Facebook, who are infamous for their fast-and-loose approach to privacy. But it also includes groups you might night expect, like Delta Airlines, GoFundMe, and the government of the United Kingdom.
Osano's complaint: not only do these organizations fail to protect user privacy, but they aren't shy about it either.
Both consumers and regulators are becoming more privacy savvy than ever before.
To avoid ending up on Osano's list, violating privacy laws, or becoming the target of your customer's ire, you need a strong Privacy Policy that's free from the issues that Osano points out.
There are 10 common issues that pop-up again and again in Privacy Policies that everyone should learn to avoid. Here's what they are, how to avoid them, and examples of what you need to do to be transparent and compliant.
Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:
- Click on "Start creating your Privacy Policy" on our website.
- Select the platforms where your Privacy Policy will be used and go to the next step.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
-
Enter your email address where you'd like your Privacy Policy sent and click "Generate".
And you're done! Now you can copy or link to your hosted Privacy Policy.
- 1. 1. You Write in Legalese
- 2. 2. You Hide Your Privacy Policy
- 3. 3. You Don't Comply With Relevant Legislation
- 4. 4. You Don't Update It to Match Your Data Practices
- 5. 5. You Don't Ask for Consent
- 6. 6. You Missed Important Clauses
- 7. 7. You Wrote an Enormous Block of Text
- 8. 8. Your Team Doesn't Know What's in Your Privacy Policy
- 9. 9. Your Privacy Policy Worries More About Litigation than Fair Processing
- 10. 10. You Only Use One Privacy Policy for Different Users
- 11. Don't Make These Privacy Policy Mistakes
1. You Write in Legalese
Is your Privacy Policy filled with legal and technical jargon that only your lawyer's lawyer understands?
Writing in legalese is one of the hallmarks of a bad Privacy Policy. The practice was (and is) so rampant that the European privacy law - the GDPR - went out of its way to make it crystal clear that Privacy Policies that don't use plain language are in violation of the law.
Do you use words like:
- Caveat emptor
- Duty of care
- Act of God
- Jurisdiction
- Precedent
If you do, then you use legalese. And while your lawyer may insist on its importance, your average user has no idea what it means or how it applies to the way they use your site. If they don't understand it, then you aren't being transparent.
Transparency is the ultimate goal of a Privacy Policy.
A good example of how NOT to write in legalese comes from Ticketmaster.
Ticketmaster breaks down its data practices in a way that makes sense to anyone at an eighth grade reading level:
It also provides a short summary in simple English to provide its customers a baseline of information before diving into the details below. Readability is critical for Privacy Policies, and as long as you communicate what's essential, you can't go too far in accommodating your users.
2. You Hide Your Privacy Policy
Where is your Privacy Policy located on your website?
Is there a link to it on your home page?
For most companies, it lies in the website footer next to other legal documents like a Cookies Policy and Terms & Conditions. Because so many sites place it there, the webpage footer has become almost uniform and customers know to expect to find your Privacy Policy here.
Here's an example of a clearly placed Privacy Policy from Slack:
And here's another example from The Guardian, who not only links to the Privacy Policy in the page footer but also links to it when asking for consent to place cookies upon the first visit to the site:
The bottom line: your Privacy Policy should be easily accessible from anywhere on your website. If users have to search for it, then it's hidden and that's not good.
3. You Don't Comply With Relevant Legislation
Do you collect data from European residents? Are children among your website's core market? Did you set up shop in California?
If you said yes to any of the above, then there are at least three privacy protection laws that could impact your business.
The first law is the GDPR, and it applies to any website that collects personal information from European residents. The GDPR has specific guidelines for Privacy Policies, and there are clauses you must reference such as user rights under the GDPR.
For example, Delta Airlines lists user rights and explicitly notes that it "applies only to individuals in the European Union and other countries which grants the rights described here."
Meredith Publishing links to the European Union Privacy Information directly from its standard Privacy Policy:
Does your site appeal to children under 13 years of age? Then your site falls under the scope of the Children's Online Privacy Protection Act (COPPA). You want to both address COPPA and make sure your Privacy Policy meets COPPA rules.
Given that children fall under its target market, the Walt Disney Family of Companies created a Privacy Policy that deals specifically with kids 12 and under:
If you have users in California, you'll need to be familiar with requirements of CalOPPA - the California Online Privacy Protection Act. This Act has some strict requirements for Privacy Policies including how you display the Policy link and what clauses you include.
You'll need a Do Not Track clause, and should make sure to draw attention to the fact that you provide unique rights to California users, as Apple has done here in its legal page titled "Your California Privacy Disclosures":
Finally, don't forget about the California Consumer Privacy Act (CCPA) and its CPRA amendments. It impacts businesses based in California and protects the privacy rights of people living in California.
4. You Don't Update It to Match Your Data Practices
When was the last time you updated your Privacy Policy? Was it when you wrote it? If so, your policy is likely due for a tune-up.
Only your company knows whether your Privacy Policy truly reflects your data practices, but your customers might get an inkling sooner than you think, particularly in our increasingly privacy-conscious culture.
To reassure your customers, add an "effective from" date to the top of your Privacy Policy.
Here's an example from Mansueto Ventures, an online publisher:
Don't forget: If you update your Privacy Policy in a material way, you should inform your users via a Privacy Policy Update Notice and ask for consent a second time.
Conduct a privacy law self-audit to make sure you have a good grasp on the current privacy practices at your business so you can accurately convey it in your Privacy Policy and update your policy if needed.
5. You Don't Ask for Consent
Your Privacy Policy only benefits you when your visitors read and consent to it.
In the past, we believed consent was assumed. If a user visits your site, they automatically agree to your data practices.
Today, the standard for consent is much higher thanks to laws like the GDPR. Even if the GDPR doesn't apply to you, it is worth following their standards because it better protects your business and your users.
What does consent look like today?
It's affirmative. It requires action from the user. Consent looks like a checkbox that requires the user to click the box and then click "Okay" or something similar to agree to your Privacy Policy:
Here's how Walmart Canada does this on its Create Account page:
Note the checkbox that users must check to agree that they have read and are accepting the Privacy Policy, which is linked to the statement for user convenience.
If you have a solid Privacy Policy, you need to get solid consent to it from your users or it won't do you much good if legal issues ever arise.
6. You Missed Important Clauses
Your Privacy Policy needs to strategically represent each of the ways you collect, use and store data.
Some of the clauses businesses often miss out on are those legislative clauses listed above, such as the need to comply with the GDPR or COPPA.
However, there might be other clauses missing that result in your Privacy Policy being incomplete. These often relate to moving or sharing your data to a third party.
For example, if you move data to another country, then you need to say so in your Privacy Policy. You particularly need this clause if you must comply with the GDPR.
Another important clause frequently missed by Privacy Policies is the business transfer clause. It states that if you sell your business, then you will pass the database and its contents over to the new owner. Even if you don't plan to sell your business, you benefit from having this clause.
Spotify provides a business transfer clause under the heading "Information we may share":
Before you consider your Privacy Policy to be complete, make sure you give it a review to ensure you've included all the important clauses that you may have overlooked.
7. You Wrote an Enormous Block of Text
As previously noted, not making a Privacy Policy easily readability is one of the biggest mistakes businesses make when constructing their Policies.
Too many still use a 2000s-era format: big words, tiny print, and enormous and almost illegible blocks of text.
Readability is increasingly governed by law, and in cases where you market to children, you need to provide a Privacy Policy they can read.
Apple provides an excellent example of how you can write an effective Privacy Policy without using a wall of text:
Apple uses text of different sizes, illustrative pictures and white space to make its Privacy information super readable.
On the other hand, Twitter still uses the text wall format. While it isn't as easy to read as Apple's Privacy Policy, the site does break down the text in a way that's at least searchable:
While both are legal and protect your business, it's clear to see which one is easier to read.
8. Your Team Doesn't Know What's in Your Privacy Policy
You have a Privacy Policy, and it reflects your data practices - on paper. But does your team know what's in your Privacy Policy and more importantly, does their lack of knowledge impact whether you uphold each clause as you should?
Everyone who controls, processes, or accesses your data needs to know what's in your Privacy Policy, how it matches your operations, and what your consumers expect from you. This makes it more than just a document and an actual true practice and reflection of your practices.
9. Your Privacy Policy Worries More About Litigation than Fair Processing
Some companies write their Privacy Policies to reflect their fear of lawsuits - not their commitment to their customers.
Rather than addressing areas that impact and concern users, many Privacy Policies talk about what the company "might," "occasionally," or "from time to time" do.
Rather than describing true practices, the Policies mitigate the company's involvement in potentially questionable data practices and either obfuscated or omitted other practices.
So if you write your Privacy Policy in a way that says you "might" do this, or you "reserve the right," consider what your users want - and then give it to them.
Here's an example.
NBC Universal lists all the information it collects from users, including information provided to them from the user and information collected automatically.
One thing it collects is "Offline Information."
The clause says that NBC collects "certain information" when its users are offline regardless of what device is used.
That NBC discloses this keeps the company in line with the law. But what does it mean? An informed consumer would want to know:
- What is "certain information"
- Why is it being collected, stored, and transmitted
- Is there any way to opt-out
NBC's failure to acknowledge these questions is one of the reasons it ended up on Osano's list of "data privacy misleaders."
10. You Only Use One Privacy Policy for Different Users
If your business falls under the SaaS category, then you likely have several different types of users: customers, developers, and partners.
The way you use data changes based on how they use your service. So, your Privacy Policy needs to reflect this.
Including all three categories of user in a single Privacy Policy makes your document long, complicated, and virtually unreadable. To make it simple, you need a policy for each of your key categories of customers.
HubSpot does just that with its Privacy Policy:
The service adds a Privacy Policy for its:
- Customers
- Partners
- Developers
- General users ("Everyone")
Each Privacy Policy is found under its respective heading to make it clear what data practices occur at each level.
Don't Make These Privacy Policy Mistakes
Your Privacy Policy serves both your customers and your business, so you want to be sure that your policy is:
- Readable
- Transparent
- Accessible
- Complete
All in all, you want to be sure that your Privacy Policy reflects both your data practices and your customer's privacy expectations. If you can do that, you are more likely to write a meaningful Privacy Policy as well as one that complies with existing and future privacy legislation.
