10 Common Issues with Privacy Policies
In early 2019, Texas-based Osano began publishing a list of what it called the "data privacy misleaders board." The list includes companies that have both the worst Privacy Policies and general transparency for their users based on in-depth reviews by Osano and a team of 24 lawyers.
The list includes some obvious companies like Snapchat and Facebook, who are infamous for their fast-and-loose approach to privacy. But it also includes groups you might night expect, like Delta Airlines, GoFundMe, and the government of the United Kingdom.
Osano's complaint: not only do these organizations fail to protect user privacy, but they aren't shy about it either.
Both consumers and regulators are becoming more privacy savvy than ever before.
There are 10 common issues that pop-up again and again in Privacy Policies that everyone should learn to avoid. Here's what they are, how to avoid them, and examples of what you need to do to be transparent and compliant.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
- 1. 1. You Write in Legalese
- 3. 3. You Don't Comply With Relevant Legislation
- 4. 4. You Don't Update It to Match Your Data Practices
- 5. 5. You Don't Ask for Consent
- 6. 6. You Missed Important Clauses
- 7. 7. You Wrote an Enormous Block of Text
1. You Write in Legalese
Do you use words like:
- Caveat emptor
- Duty of care
- Act of God
If you do, then you use legalese. And while your lawyer may insist on its importance, your average user has no idea what it means or how it applies to the way they use your site. If they don't understand it, then you aren't being transparent.
A good example of how NOT to write in legalese comes from Ticketmaster.
It also provides a short summary in simple English to provide its customers a baseline of information before diving into the details below. Readability is critical for Privacy Policies, and as long as you communicate what's essential, you can't go too far in accommodating your users.
Is there a link to it on your home page?
3. You Don't Comply With Relevant Legislation
Do you collect data from European residents? Are children among your website's core market? Did you set up shop in California?
If you said yes to any of the above, then there are at least three privacy protection laws that could impact your business.
The first law is the GDPR, and it applies to any website that collects personal information from European residents. The GDPR has specific guidelines for Privacy Policies, and there are clauses you must reference such as user rights under the GDPR.
For example, Delta Airlines lists user rights and explicitly notes that it "applies only to individuals in the European Union and other countries which grants the rights described here."
If you have users in California, you'll need to be familiar with requirements of CalOPPA - the California Online Privacy Protection Act. This Act has some strict requirements for Privacy Policies including how you display the Policy link and what clauses you include.
You'll need a Do Not Track clause, and should make sure to draw attention to the fact that you provide unique rights to California users, as Apple has done here in its legal page titled "Your California Privacy Disclosures":
Finally, don't forget about the California Consumer Privacy Act (CCPA) and its CPRA amendments. It impacts businesses based in California and protects the privacy rights of people living in California.
4. You Don't Update It to Match Your Data Practices
Here's an example from Mansueto Ventures, an online publisher:
5. You Don't Ask for Consent
In the past, we believed consent was assumed. If a user visits your site, they automatically agree to your data practices.
Today, the standard for consent is much higher thanks to laws like the GDPR. Even if the GDPR doesn't apply to you, it is worth following their standards because it better protects your business and your users.
What does consent look like today?
Here's how Walmart Canada does this on its Create Account page:
6. You Missed Important Clauses
Some of the clauses businesses often miss out on are those legislative clauses listed above, such as the need to comply with the GDPR or COPPA.
Another important clause frequently missed by Privacy Policies is the business transfer clause. It states that if you sell your business, then you will pass the database and its contents over to the new owner. Even if you don't plan to sell your business, you benefit from having this clause.
Spotify provides a business transfer clause under the heading "Information we may share":
7. You Wrote an Enormous Block of Text
Too many still use a 2000s-era format: big words, tiny print, and enormous and almost illegible blocks of text.
Apple uses text of different sizes, illustrative pictures and white space to make its Privacy information super readable.
While both are legal and protect your business, it's clear to see which one is easier to read.
Some companies write their Privacy Policies to reflect their fear of lawsuits - not their commitment to their customers.
Rather than addressing areas that impact and concern users, many Privacy Policies talk about what the company "might," "occasionally," or "from time to time" do.
Rather than describing true practices, the Policies mitigate the company's involvement in potentially questionable data practices and either obfuscated or omitted other practices.
Here's an example.
NBC Universal lists all the information it collects from users, including information provided to them from the user and information collected automatically.
One thing it collects is "Offline Information."
The clause says that NBC collects "certain information" when its users are offline regardless of what device is used.
That NBC discloses this keeps the company in line with the law. But what does it mean? An informed consumer would want to know:
- What is "certain information"
- Why is it being collected, stored, and transmitted
- Is there any way to opt-out
NBC's failure to acknowledge these questions is one of the reasons it ended up on Osano's list of "data privacy misleaders."
If your business falls under the SaaS category, then you likely have several different types of users: customers, developers, and partners.
- General users ("Everyone")