7 Mistakes You're Making With Your Privacy Policy

Last updated on 17 December 2019
7 Mistakes You're Making With Your Privacy Policy

You may be making some mistakes with your Privacy Policy that could come with big repercussions for your company.

A Privacy Policy is meant to provide a customer with full disclosure of what information you collect and how it is being collected and used. There are some specific things you need to do when it comes to what types of information you include, how you display your Policy and how you handle it into the future.

Here are some of the most common mistakes that arise when it comes to Privacy Policies and what you can do to make sure you don't make them.

Making Language too Complicated

Your consumers are a general audience, which means the language of your Privacy Policy needs to be simple enough that everyone can understand and read it. You are not writing to a table of lawyers, but everyday people.

If you are making the language too complicated, it may appear as if you are attempting to hide your practices through complicated words and phrases.

This issue came to a head in 2015, when TIME partnered with the Center for Plain Language to create a report of the 7 top internet companies and their Privacy Policies. From this report, it ranked each of these companies on clarity of language and ease.

After the report was released, updating Privacy Policies with plain language became a top task for companies around the world.

An example of a top grade from TIME was Google's Privacy Policy. Google's language was found to be clear, simple, and conversational, detailing the terms without hiding behind difficult words. Google uses common words with a clean structure, which users found to be the most appealing.

Here's an example of one clause where you can see how easily understandable the information is conveyed:

Google Privacy Policy: Understand the types of information we collect clause

Lyft, a transportation service, came in at the bottom of TIME's plain language report for poor structure, incoherent sentences, and a general confusing policy. The report even went as far as to say that it seemed like Lyft didn't "want you to read this."

Lyft has since updated its Privacy Policy to be more readable and user-friendly.

Not Getting Clear Agreement or Consent

You must receive clear agreement or consent to the gathering of information and to your Privacy Policy. The consent must be expressly given, not implied. Additionally, consumers need to be asked permission when collecting specific information or new data across your website.

For example, under the GDPR of the European Union, consent must be:

  • Freely given
  • Specific
  • Informed
  • Unambiguous
  • Clear affirmative action

Any consent that does not meet these descriptions could be considered coercion by your company or trying to defraud your consumers.

Previous ways of getting consent such as pre-checked boxes are no longer accepted. The sign-in form for the online shoe company Zappos is an example of providing places for users to freely and affirmatively give their consent to signing up for the service and remaining signed in to the system:

Zappos create an account form

Not Displaying Your Privacy Policy Appropriately

An example of a law that requires appropriate disclosure is the California law CalOPPA, which requires that your Privacy Policy shall be "conspicuously" posted or where the consumer can easily see and access the policy.

A link or notification should be included in places where a consumer would typically wish to see about the privacy of their information. A few examples of places to include links to your Privacy Policy are:

  • Checkout pages
  • Footer of the webpage
  • A pop-up message on an app or homepage
  • Top corner of the screen
  • Sign-up and log-in forms

While you do not need to include the entire Privacy Policy on your homepage or landing page, including the links in as many locations is important. Also, including encouragement on your pop-ups or sign-up forms to your consumer to read the policies before they use your site also is key.

Two examples of where to include Privacy Policy links are from ESPN and the Lululemon. The sports website ESPN includes its link in the first place users typically look, the footer of the homepage. The link is bold and clearly defined without a distracting background to confuse the user:

ESPN website footer with link

An example of including a link to a Privacy Policy on a "create account" page is from Lululemon, a top fitness clothing brand. Lululemon's link is bold and underlined to draw the customer's attention to it:

Lululemon Create an Account form

Remember, the more places you include your link, the better. You should include it at points where you collect personal information or want to use the information in a specific way, as seen above. Users are submitting email addresses as well as being asked to consent to sign up for promotional emails, so this is a double-perfect time to link to the Privacy Policy.

Not Including All Required Clauses

Not Including All Required Clauses

A number of privacy laws have some specific requirements for what must be included in a Privacy Policy. These laws include:

  • COPPA
  • GDPR
  • CalOPPA
  • CCPA

Each of these laws protect a particular group of consumers' privacy and if your users fall into one of these groups, you must include a specific clause.

COPPA

COPPA ("Children's Online Privacy Protection Act") regulates information collected from children and gives parents control over the data collected. If your site is targeted towards children or any of your audience may be children, COPPA will apply. Additionally, any foreign companies who have consumers in the US must also comply with COPPA.

Your COPPA clause must include:

  • Getting parental consent
  • Properly securing data
  • Deleting data when requested, or when informed that it's from a minor
  • Providing a clear and encompassing Private Policy

Nintendo - one of the leading game console companies in the world, includes a specific clause for children. Nintendo is used by both adults and children and the company included a portion stating they do not collect information from children under 14 without consent and allow parents to modify or delete any information.

Nintendo Privacy Policy: Information about Children clause

GDPR

The GDPR is the European Union's governing body for protecting personal data. The GDPR was adopted in 2016 and fully enacted in 2018. Going forward, any companies who sell services or have EU customers, must follow GDPR regulations. Foreign companies are also included if they have consumers who live in the EU.

The two most important takeaways from the enactment of the GDPR is that foreign companies with EU customers now fall under its regulation and implied consent is no longer acceptable. Express and freely given is now the standard companies must comply to get consent.

If you have any EU consumers, making sure you follow the new guidelines are extremely important.

CalOPPA

CalOPPA, California Online Privacy Protection Act, was created to protect the information of California residents online. Companies that are based in California or collect information from California residents also fall under CalOPPA's reach.

The most important inclusion in CalOPPA is the Privacy Policy of the company must be "conspicuously" posted on the site or the company must use reasonable means to make the Privacy Policy accessible to customers.

The Privacy Policy must also clearly state how it handles "do not track" signals, or identifications made by the consumer that they do not want their information to be tracked by a company.

Apple obtains information from clients around the world. It collects names, addresses, credit card information, and email addresses. Since the company collects data from consumers worldwide, including a separate CalOPPA clause is a must.

Apple's Privacy Policy is clearly linked on the footer of the page and a separate page includes how Apple handles any "do not track" signals its customers may invoke specific to CalOPPA requirements:

Apple California Privacy Disclosures for CalOPPA: Do Not Track and Notice for Minors clauses

CCPA

The California Consumer Privacy Act (CCPA) applies to for-profit businesses that collect the personal information of California residents. Like CalOPPA, the CCPA applies to California businesses and companies across the world.

After January 1, 2020, all businesses must update their Privacy Policies to include the new consumer rights requirements under the act. These rights include access to information, to request deletion of data, and to not be discriminated against for exercising these rights.

Businesses must notify consumers of their rights. Whether you notify consumers by separate clauses or pages, under the CCPA, your Privacy Policy must include:

  • System for consumers to request and delete information
  • Webpage and link for consumers to opt-out of selling information - a Do Not Sell My Personal Information page (required only if the business sells information)
  • Categories of personal information collected (i.e., email addresses and employment information)
  • Sources of collected information
  • Purposes for collecting the information
  • List of personal data sold in the last 12 months
  • List of personal data disclosed for "business purposes" in the last 12 months

Not Updating Your Policy as Your Practices Change

One of the main protections of laws like the GDPR and CalOPPA is to protect against fraud and misleading language. If your practices have changed and you fail to change the language of your Privacy Policy, it could be construed as deceitful actions.

Changes to your practices may include:

  • How you collect information
  • A new third-party the information is sent to
  • Additional privacy protections

Users must be allowed to read and accept the new changes to the policy. A notice through email, pop-up, or clear links to changes must be created to allow consumers to reject or agree to the new terms.

The telephone company Verizon consistently makes changes to its Privacy Policy due to being in the technology industry. Because of this, Verizon includes a separate page for any current or previous changes that have been made to their Privacy Policy and the reasons behind the changes:

Verizon Privacy Policy: Recent Changes section

Not only do you need to update your Policy as your practices change, but you need to inform your users about this, too. Not doing so is a big, big mistake.

Using Standard Templates Without Customization

Using Standard Templates Without Customization

Since Privacy Policies are required by law, accessing standard forms or templates is very easy. However, when using standard forms remember to customize. These standards may include:

  • Long-winded legalese
  • General disclosures
  • General terms

It is important to customize your Privacy Policy to reflect the specific practices and services your company provides. If you run a mobile app, including the specific information you collect and how the data will be stored must also be included.

Additionally, if you must include certain clauses, like those required by COPPA or CalOPPA, you may have to add those to the generated form. Not every preprinted form includes every clause or disclosure that your specific company may apply to.

Not Including Proper Cookies Disclosures

One of the most important disclosures in Privacy Policies is how information is collected and this includes information collected via cookies. Users need to know how companies are collecting their information and the chance to accept or reject those collection types.

If your company uses cookies to collect data, that must be disclosed.

Here's an example of a cookie clause in Target's Privacy Policy that lets shoppers and site visitors know that cookies are used by both Target and third parties, and what these cookies accomplish:

Target Privacy Policy: Automated Collection cookie clause

A note for US companies and EU companies. US companies generally include a Cookies Policy or cookie clause in the general Privacy Policy, but EU companies must have a separate Cookies Policy under the Cookies Directive.

Summary

With recent changes to privacy laws and new laws on the horizon, it has never been more important than it is now to double check your own Privacy Policy for mistakes you may be making.

Common mistakes you may be making are:

  • Keeping language too complicated
    • Using legalese and long-winded words are no longer acceptable
  • Not getting clear agreement or consent
    • Express consent is now required, not simply implied
  • Not displaying it correctly
    • Links to Privacy Policies must be clear and conspicuous
    • Include one in your footer, subscription pages, and pop-ups
  • Not including required clauses
    • May need to include clauses for COPPA, GDPR, and CalOPPA if you have certain users
  • Not updating when your practices change
  • Using Policy templates without customization
  • Not including if you use cookies to collect information
Article categories