- 1. Making Language too Complicated
- 2. Not Getting Clear Agreement or Consent
- 4. Not Including All Required Clauses
- 4.1. COPPA
- 4.2. GDPR
- 4.3. CalOPPA
- 4.4. CCPA
- 5. Not Updating Your Policy as Your Practices Change
- 6. Using Standard Templates Without Customization
- 7. Not Including Proper Cookies Disclosures
- 8. Summary
Here are some of the most common mistakes that arise when it comes to Privacy Policies and what you can do to make sure you don't make them.
Making Language too Complicated
If you are making the language too complicated, it may appear as if you are attempting to hide your practices through complicated words and phrases.
This issue came to a head in 2015, when TIME partnered with the Center for Plain Language to create a report of the 7 top internet companies and their Privacy Policies. From this report, it ranked each of these companies on clarity of language and ease.
After the report was released, updating Privacy Policies with plain language became a top task for companies around the world.
Here's an example of one clause where you can see how easily understandable the information is conveyed:
Lyft, a transportation service, came in at the bottom of TIME's plain language report for poor structure, incoherent sentences, and a general confusing policy. The report even went as far as to say that it seemed like Lyft didn't "want you to read this."
Not Getting Clear Agreement or Consent
For example, under the GDPR of the European Union, consent must be:
- Freely given
- Clear affirmative action
Any consent that does not meet these descriptions could be considered coercion by your company or trying to defraud your consumers.
Previous ways of getting consent such as pre-checked boxes are no longer accepted. The sign-in form for the online shoe company Zappos is an example of providing places for users to freely and affirmatively give their consent to signing up for the service and remaining signed in to the system:
- Checkout pages
- Footer of the webpage
- A pop-up message on an app or homepage
- Top corner of the screen
- Sign-up and log-in forms
Not Including All Required Clauses
Each of these laws protect a particular group of consumers' privacy and if your users fall into one of these groups, you must include a specific clause.
COPPA ("Children's Online Privacy Protection Act") regulates information collected from children and gives parents control over the data collected. If your site is targeted towards children or any of your audience may be children, COPPA will apply. Additionally, any foreign companies who have consumers in the US must also comply with COPPA.
Your COPPA clause must include:
- Getting parental consent
- Properly securing data
- Deleting data when requested, or when informed that it's from a minor
- Providing a clear and encompassing Private Policy
Nintendo - one of the leading game console companies in the world, includes a specific clause for children. Nintendo is used by both adults and children and the company included a portion stating they do not collect information from children under 14 without consent and allow parents to modify or delete any information.
The GDPR is the European Union's governing body for protecting personal data. The GDPR was adopted in 2016 and fully enacted in 2018. Going forward, any companies who sell services or have EU customers, must follow GDPR regulations. Foreign companies are also included if they have consumers who live in the EU.
The two most important takeaways from the enactment of the GDPR is that foreign companies with EU customers now fall under its regulation and implied consent is no longer acceptable. Express and freely given is now the standard companies must comply to get consent.
If you have any EU consumers, making sure you follow the new guidelines are extremely important.
CalOPPA, California Online Privacy Protection Act, was created to protect the information of California residents online. Companies that are based in California or collect information from California residents also fall under CalOPPA's reach.
Apple obtains information from clients around the world. It collects names, addresses, credit card information, and email addresses. Since the company collects data from consumers worldwide, including a separate CalOPPA clause is a must.
The California Consumer Privacy Act (CCPA) applies to for-profit businesses that collect the personal information of California residents. Like CalOPPA, the CCPA applies to California businesses and companies across the world.
After January 1, 2020, all businesses must update their Privacy Policies to include the new consumer rights requirements under the act. These rights include access to information, to request deletion of data, and to not be discriminated against for exercising these rights.
- System for consumers to request and delete information
- Webpage and link for consumers to opt-out of selling information - a Do Not Sell My Personal Information page (required only if the business sells information)
- Categories of personal information collected (i.e., email addresses and employment information)
- Sources of collected information
- Purposes for collecting the information
- List of personal data sold in the last 12 months
- List of personal data disclosed for "business purposes" in the last 12 months
Not Updating Your Policy as Your Practices Change
Changes to your practices may include:
- How you collect information
- A new third-party the information is sent to
- Additional privacy protections
Users must be allowed to read and accept the new changes to the policy. An Update Notice through email, pop-up, or clear links to changes must be created to allow consumers to reject or agree to the new terms.
Not only do you need to update your Policy as your practices change, but you need to inform your users about this, too. Not doing so is a big, big mistake.
Using Standard Templates Without Customization
Since Privacy Policies are required by law, accessing standard forms or templates is very easy. However, when using standard forms remember to customize. These standards may include:
- Long-winded legalese
- General disclosures
- General terms
Additionally, if you must include certain clauses, like those required by COPPA or CalOPPA, you may have to add those to the generated form. Not every preprinted form includes every clause or disclosure that your specific company may apply to.
Not Including Proper Cookies Disclosures
One of the most important disclosures in Privacy Policies is how information is collected and this includes information collected via cookies. Users need to know how companies are collecting their information and the chance to accept or reject those collection types.
Common mistakes you may be making are:
- Keeping language too complicated
- Using legalese and long-winded words are no longer acceptable
- Not getting clear agreement or consent
- Express consent is now required, not simply implied
- Not displaying it correctly
- Links to Privacy Policies must be clear and conspicuous
- Include one in your footer, subscription pages, and pop-ups
- Not including required clauses
- May need to include clauses for COPPA, GDPR, and CalOPPA if you have certain users
- Not updating when your practices change
- Using Policy templates without customization