10 Common Issues with Privacy Policies

Last updated on 06 September 2019 by Nicole Olsen
10 Common Issues with Privacy Policies

In early 2019, Texas-based Osano began publishing a list of what it called the "data privacy misleaders board." The list includes companies that have both the worst Privacy Policies and general transparency for their users based on in-depth reviews by Osano and a team of 24 lawyers.

The list includes some obvious companies like Snapchat and Facebook, who are infamous for their fast-and-loose approach to privacy. But it also includes groups you might night expect, like Delta Airlines, GoFundMe, and the government of the United Kingdom.

Osano's complaint: not only do these organizations fail to protect user privacy, but they aren't shy about it either.

Both consumers and regulators are becoming more privacy savvy than ever before.

To avoid ending up on Osano's list, violating privacy laws, or becoming the target of your customer's ire, you need a strong Privacy Policy that's free from the issues that Osano points out.

There are 10 common issues that pop-up again and again in Privacy Policies that everyone should learn to avoid. Here's what they are, how to avoid them, and examples of what you need to do to be transparent and compliant.

1. You Write in Legalese

1. You Write in Legalese

Is your Privacy Policy filled with legal and technical jargon that only your lawyer's lawyer understands?

Writing in legalese is one of the hallmarks of a bad Privacy Policy. The practice was (and is) so rampant that the European privacy law - the GDPR - went out of its way to make it crystal clear that Privacy Policies that don't use plain language are in violation of the law.

Do you use words like:

  • Caveat emptor
  • Duty of care
  • Act of God
  • Jurisdiction
  • Precedent

If you do, then you use legalese. And while your lawyer may insist on its importance, your average user has no idea what it means or how it applies to the way they use your site. If they don't understand it, then you aren't being transparent.

Transparency is the ultimate goal of a Privacy Policy.

A good example of how NOT to write in legalese comes from Ticketmaster.

Ticketmaster breaks down its data practices in a way that makes sense to anyone at an eighth grade reading level:

Live Nation Privacy Policy: Excerpt of clause summaries

It also provides a short summary in simple English to provide its customers a baseline of information before diving into the details below. Readability is critical for Privacy Policies, and as long as you communicate what's essential, you can't go too far in accommodating your users.

2. You Hide Your Privacy Policy

2. You Hide Your Privacy Policy

Where is your Privacy Policy located on your website?

Is there a link to it on your home page?

For most companies, it lies in the website footer next to other legal documents like a Cookies Policy and Terms & Conditions. Because so many sites place it there, the webpage footer has become almost uniform and customers know to expect to find your Privacy Policy here.

Here's an example of a clearly placed Privacy Policy from Slack:

Slack website footer with links

And here's another example from The Guardian, who not only links to the Privacy Policy in the page footer but also links to it when asking for consent to place cookies upon the first visit to the site:

The Guardian Cookie Consent Notice

The bottom line: your Privacy Policy should be easily accessible from anywhere on your website. If users have to search for it, then it's hidden and that's not good.

3. You Don't Comply With Relevant Legislation

3. You Don't Comply With Relevant Legislation

Do you collect data from European residents? Are children among your website's core market? Did you set up shop in California?

If you said yes to any of the above, then there are at least three privacy protection laws that could impact your business.

The first law is the GDPR, and it applies to any website that collects personal information from European residents. The GDPR has specific guidelines for Privacy Policies, and there are clauses you must reference such as user rights under the GDPR.

For example, Delta Airlines lists user rights and explicitly notes that it "applies only to individuals in the European Union and other countries which grants the rights described here."

Delta Airlines Privacy Policy: Your GDPR Rights clause intro

Meredith Publishing links to the European Union Privacy Information directly from its standard Privacy Policy:

Meredith Privacy Policy Table of Contents: EU information section highlighted

Does your site appeal to children under 13 years of age? Then your site falls under the scope of the Children's Online Privacy Protection Act (COPPA). You want to both address COPPA and make sure your Privacy Policy meets COPPA rules.

Given that children fall under its target market, the Walt Disney Family of Companies created a Privacy Policy that deals specifically with kids 12 and under:

Walt Disney Childrens Privacy Policy: Intro section

If you have users in California, you'll need to be familiar with requirements of CalOPPA - the California Online Privacy Protection Act. This Act has some strict requirements for Privacy Policies including how you display the Policy link and what clauses you include.

You'll need a Do Not Track clause, and should make sure to draw attention to the fact that you provide unique rights to California users, as Apple has done here in its legal page titled "Your California Privacy Disclosures":

Apple California Privacy Disclosures for CalOPPA: Do Not Track and Notice for Minors clauses

Finally, don't forget about the new California Consumer Privacy Act (CCPA). It impacts businesses based in California and protects the privacy rights of people living in California. You'll need to reference it in your Privacy Policy by the time it becomes law on January 1, 2020.

4. You Don't Update It to Match Your Data Practices

4. You Don't Update It to Match Your Data Practices

When was the last time you updated your Privacy Policy? Was it when you wrote it? If so, your policy is likely due for a tune-up.

Only your company knows whether your Privacy Policy truly reflects your data practices, but your customers might get an inkling sooner than you think, particularly in our increasingly privacy-conscious culture.

To reassure your customers, add an "effective from" date to the top of your Privacy Policy.

Here's an example from Mansueto Ventures, an online publisher:

Mansueto Ventures Privacy Policy: Effective Date highlighted

Don't forget: if you update your Privacy Policy, then you should inform your users and ask for consent a second time.

5. You Don't Ask for Consent

Your Privacy Policy only benefits you when your visitors read and consent to it.

In the past, we believed consent was assumed. If a user visits your site, they automatically agree to your data practices.

Today, the standard for consent is much higher thanks to laws like the GDPR. Even if the GDPR doesn't apply to you, it is worth following their standards because it better protects your business and your users.

What does consent look like today?

It's affirmative. It requires action from the user. Consent looks like a checkbox that requires the user to click the box and then click "Okay" or something similar to agree to your Privacy Policy:

Here's how Walmart Canada does this on its Create Account page:

Walmart Canada create account form with checkbox to agree to Privacy Policy and subscribe to emails

Note the checkbox that users must check to agree that they have read and are accepting the Privacy Policy, which is linked to the statement for user convenience.

If you have a solid Privacy Policy, you need to get solid consent to it from your users or it won't do you much good if legal issues ever arise.

6. You Missed Important Clauses

6. You Missed Important Clauses

Your Privacy Policy needs to strategically represent each of the ways you collect, use and store data.

Some of the clauses businesses often miss out on are those legislative clauses listed above, such as the need to comply with the GDPR or COPPA.

However, there might be other clauses missing that result in your Privacy Policy being incomplete. These often relate to moving or sharing your data to a third party.

For example, if you move data to another country, then you need to say so in your Privacy Policy. You particularly need this clause if you must comply with the GDPR.

Another important clause frequently missed by Privacy Policies is the business transfer clause. It states that if you sell your business, then you will pass the database and its contents over to the new owner. Even if you don't plan to sell your business, you benefit from having this clause.

Spotify provides a business transfer clause under the heading "Information we may share":

Spotify Privacy Policy: Business transfer clause

Before you consider your Privacy Policy to be complete, make sure you give it a review to ensure you've included all the important clauses that you may have overlooked.

7. You Wrote an Enormous Block of Text

7-you-wrote-enormous-block-text

As previously noted, not making a Privacy Policy easily readability is one of the biggest mistakes businesses make when constructing their Policies.

Too many still use a 2000s-era format: big words, tiny print, and enormous and almost illegible blocks of text.

Readability is increasingly governed by law, and in cases where you market to children, you need to provide a Privacy Policy they can read.

Apple provides an excellent example of how you can write an effective Privacy Policy without using a wall of text:

Apple Privacy: Device security summary

Apple uses text of different sizes, illustrative pictures and white space to make its Privacy information super readable.

On the other hand, Twitter still uses the text wall format. While it isn't as easy to read as Apple's Privacy Policy, the site does break down the text in a way that's at least searchable:

Twitter Privacy Policy: Contact Information and Address Books clause excerpt

While both are legal and protect your business, it's clear to see which one is easier to read.

8. Your Team Doesn't Know What's in Your Privacy Policy

8. Your Team Doesn't Know What's in Your Privacy Policy

You have a Privacy Policy, and it reflects your data practices - on paper. But does your team know what's in your Privacy Policy and more importantly, does their lack of knowledge impact whether you uphold each clause as you should?

Everyone who controls, processes, or accesses your data needs to know what's in your Privacy Policy, how it matches your operations, and what your consumers expect from you. This makes it more than just a document and an actual true practice and reflection of your practices.

9. Your Privacy Policy Worries More About Litigation than Fair Processing

9. Your Privacy Policy Worries More About Litigation than Fair Processing

Some companies write their Privacy Policies to reflect their fear of lawsuits - not their commitment to their customers.

Rather than addressing areas that impact and concern users, many Privacy Policies talk about what the company "might," "occasionally," or "from time to time" do.

Rather than describing true practices, the Policies mitigate the company's involvement in potentially questionable data practices and either obfuscated or omitted other practices.

So if you write your Privacy Policy in a way that says you "might" do this, or you "reserve the right," consider what your users want - and then give it to them.

Here's an example.

NBC Universal lists all the information it collects from users, including information provided to them from the user and information collected automatically.

One thing it collects is "Offline Information."

NBC Universal Privacy Policy: Offline Information clause

The clause says that NBC collects "certain information" when its users are offline regardless of what device is used.

That NBC discloses this keeps the company in line with the law. But what does it mean? An informed consumer would want to know:

  • What is "certain information"
  • Why is it being collected, stored, and transmitted
  • Is there any way to opt-out

NBC's failure to acknowledge these questions is one of the reasons it ended up on Osano's list of "data privacy misleaders."

10. You Only Use One Privacy Policy for Different Users

10. You Only Use One Privacy Policy for Different Users

If your business falls under the SaaS category, then you likely have several different types of users: customers, developers, and partners.

The way you use data changes based on how they use your service. So, your Privacy Policy needs to reflect this.

Including all three categories of user in a single Privacy Policy makes your document long, complicated, and virtually unreadable. To make it simple, you need a policy for each of your key categories of customers.

HubSpot does just that with its Privacy Policy:

HubSpot Privacy Policy: Intro and customer list

The service adds a Privacy Policy for its:

  • Customers
  • Partners
  • Developers
  • General users ("Everyone")

Each Privacy Policy is found under its respective heading to make it clear what data practices occur at each level.

Don't Make These Privacy Policy Mistakes

Your Privacy Policy serves both your customers and your business, so you want to be sure that your policy is:

  • Readable
  • Transparent
  • Accessible
  • Complete

All in all, you want to be sure that your Privacy Policy reflects both your data practices and your customer's privacy expectations. If you can do that, you are more likely to write a meaningful Privacy Policy as well as one that complies with existing and future privacy legislation.

Article categories
Nicole Olsen

Legal writer.