Update Notices for Privacy Policy Changes

by Nicole O. Legal writer.
Update Notices for Privacy Policy Changes

Your Privacy Policy is a critical part of protecting your business and your customers. It's an up-to-date notice of your data practices, including everything from collection to storage to security. The key word in that sentence is up-to-date.

Whenever you make a meaningful change to the way you handle customer data, you need to update your Privacy Policy to reflect the change.

And, if you update your Privacy Policy, you need to let your customers know before those changes go into effect.

Providing an update notice for your Privacy Policy changes is both good business practice, and in some cases, it's also a legal requirement.

We'll show you when and why you should update your Privacy Policy, why you need to share those updates, and three ways to communicate your changes to your customers.


When and Why Should You Update Your Privacy Policy?

The Privacy Policy you created for your site isn't a once-off document that you upload and never touch again. On the contrary, your Privacy Policy is a living document that needs regular reviews and updates.

You need to review your Privacy Policy on a regular basis to make sure it's still up-to-date with your data practices and it meets the latest requirements provided by law.

In addition to scheduled, periodic reviews, you also need to review your policy whenever a function of your website changes. If you start accepting PayPal, launch a new newsletter, or allow customers to log in with their Facebook accounts, then the change in practice needs to show up in your Privacy Policy.

Remember that in addition to making those changes, you also need a record of the changes you made. So, keep each outdated version of your policy filed away for safekeeping.

When Do You Need to Send an Update Notice?

When Do You Need to Send an Update Notice?

If you review your Privacy Policy a few times a year, does that mean you need to send out an update notice each time?

The answer is no. If you update the language or structure of your policy, then you don't need to send an update notice.

However, if your updates reflect a substantial or material change to your Privacy Policy, then you do need to send an update notice.

For example, if you add social media widgets to your site that allow third parties to collect information, then you need to update your Privacy Policy to disclose this and notify your customers that you're now allowing third parties to collect data.

Why Send an Update Notice to Your Customers?

Why Send an Update Notice to Your Customers?

In many cases, your Privacy Policy falls under the jurisdiction of international, federal, or state law. Those laws not only require you to have Privacy Policy but also to require data subjects (your customers) to consent to it.

Without their consent, your Privacy Policy isn't transparent - or effective.

If the data subject consents to the first version of your Privacy Policy, then you're all set. But if you make substantial changes to the policy, then they do not automatically consent to those changes just because they said "yes" to the first version.

You need to let them know you changed your policy, so that they can provide their consent (or decline to do so) on your up-to-date practices.

Laws like the EU's GDPR and California's CalOPPA require you to both have an updated Privacy Policy and seek consent to it. So, if your site is open to European or Californian customers, then the Privacy Policy update requirement applies to you.

You need to be particularly careful if your site markets to children because not only are there more laws (COPPA), but they can be stricter about privacy violations.

If you're caught without a Privacy Policy under the laws listed above, hefty fines apply and you could be vulnerable to legal challenges.

Your Customers Expect You to Share Your Data Practices

Crippling fines aside, you should remember that users expect you to have an updated Privacy Policy. That expectation extends to letting them know if you make meaningful changes to it.

Users expect you to be transparent about your data practices and there's a growing privacy consciousness across the consumer market.

The Facebook-Cambridge Analytica scandal contributed to heightened privacy concerns among millions of Americans. A Harris Poll survey found that 78 percent of consumers believe that protecting user data is "extremely important." Trust in companies is also down. Only 20 percent of consumers say they "completely trust" businesses to protect them.

To put this into perspective, Harris Poll asked participants to weigh their concerns. Sixty percent of consumers reported greater worries about cybersecurity than about the potential of the U.S. going to war.

Consumers' fears and beliefs dictate who they will and won't get their data - and their money. So, it's important to be as transparent as possible.

Conduct a privacy law self-audit to make sure you have the most accurate assessment of your situation so you can present it transparently to your users.

How to Send an Update Notice

How to Send an Update Notice

You don't need to take out a page-length ad in the Times to let customers know your data practices have changed. In fact, there are three simple notification methods that cover your bases and maximize transparency.

These include:

  • Adding a relevant update clause to your Privacy Policy
  • Sending an email out to announce the changes
  • Using a pop-up notice on your website to announce the update and obtain consent to the changes

Let's take a look at each method's benefits and how it plays out.

Include an Update Clause in Your Privacy Policy

First, it's helpful to include a clause that gives you leeway to update your Privacy Policy without requesting new consent or sending an update notice each time.

Some choose to include the clause right away in their Privacy Policy's introduction section. However, it can get lost in the preamble, particularly if the paragraph is long.

Others provide a dedicated clause for it, typically towards the end of the policy. Lowe's follows this track in its Privacy Policy:

Lowe's Privacy and Security Statement: Updates clause

Lowe's notes that it can change the policy as it sees fit to match its practices or meet new legal requirements. It also says you'll find an update notice on the site when substantive changes are made, and that a 'last updated' date is indicated at the top of the Privacy Policy.

Hilton's "Changes to this Statement" clause reserves the right to modify the statement. Readers are informed that when material changes are made, a link will be posted on the site's homepage, and the effective date will be updated to reflect the current version of the policy:

Hilton Privacy Statement: Changes to this Statement clause

Automattic includes a "Privacy Policy Changes" clause that lets users know to check the change log below the clause for any changes that have been made, and that in some cases additional notices of changes may be made. These notices can include a statement on the homepage or blog, or a notification via email or user account dashboards:

Automattic Privacy Policy: Privacy Policy Changes clause

The included change log includes a date of the change and a simple statement about what was changed, such as adding new information, updates for new laws, clarifications and removing outdated information:

Automattic Privacy Policy: Change Log clause

Send an Update Notice Email

Are you making substantive changes to your Privacy Policy? Let users know via your email list.

Sending them an email is the preferred method because it goes directly to their inbox where they (should) see it. Relying on their next visit to the site isn't as effective because you are still processing their data, but they might not log-in to your site again for weeks or even months. That means you'll continue processing their data according to your new Privacy Policy without them knowing about it.

A good Privacy Policy Update Notice email includes four things:

  • The effective date of your updated Privacy Policy
  • A link to your Privacy Policy
  • Details of the most important changes
  • What to do if a user doesn't accept the changes

Our first example comes from OpenTable, that updated its Privacy Policy on May 31, 2019. The email sent to data subjects includes three out of four of the essential characteristics.

Screenshot of OpenTable email with notice of changes to Privacy Policy

According to OpenTable, starting May 31st, 2019, it would provide more detail about data collection, greater transparency related to what it shares, and mechanisms for more user control over their information.

Because the changes here are largely related to being more transparent and offering users more control - and not collecting or sharing new types of data - it was not necessary for OpenTable to provide a means by which customers can deny their consent.

Dashlane, however, updated its Privacy Policy around the same time. It provided a link to the Privacy Policy and informed users that they don't need to do anything to accept the changes, but that they could decline to accept by deleting their accounts.

Screenshot of Dashlane email with notice of changes to Privacy Policy - Intro and opt-out section

The email also included a convenient list of all the changes. This is really helpful since without that, a user would certainly never really be able to tell what changes had been made.

Screenshot of Dashlane email with notice of changes to Privacy Policy - List of changes section

If you send out an email, adding a summarized list like this is a really great idea and can be so helpful for your users. They'll certainly appreciate it and will be far less likely to want to opt out of your new privacy practices when they can easily learn what exactly the new practices involve.

Use a Pop-Up Notice on Your Website

The final method of informing customers of Privacy Policy changes is by using a pop-up notice on your website.

You can make this similar to a cookies consent mechanism on your site. All you need to do is include a statement that says you updated your Privacy Policy, provide a link to your new Privacy Policy, and ideally use a clickwrap consent mechanism (like having a user click "Accept" or "Agree") for acknowledgement.

Remember that browsewrap agreements are now generally frowned upon, and you need your data subjects to actively agree to your Privacy Policy. Adding the consent button is key.

Here's an example of a basic pop-up notice from Twitter:

Twitter updated Privacy Policy pop-up notice

Here's an example of a similar but somewhat better one from Zynga. It includes a link to the updated policies for users to easily access if they wish:

Zynga updated Terms of Service and Privacy Policy pop-up notice

Summary

A Privacy Policy isn't a static document. It grows and changes with your data practices to accurately reflect your organization's methods of handling data at that moment in time.

You should review your Privacy Policy at least once every few months and every time you make a substantial change to the way you collect, use, store, or share data.

Are you updating your Privacy Policy? Let everyone know by including an update clause in your Privacy Policy, sending out an email blast, and using a clickwrap notification mechanism on your website when your update takes place.

Last updated on 23 April 2020

Article categories

Nicole O.

Legal writer.