Check Your Privacy Policy For These 5 Mistakes

Written by John Lister (Legal writer.) and last updated on 05 April 2020.

Check Your Privacy Policy For These 5 Mistakes

Most mistakes with Privacy Policies fall into two categories. First, your policy might not include required information. This is particularly likely if you aren't aware of all of the multiple laws that affect you and your customers.

Secondly, you might not display the information in the best way, for example by not making it clear, prominent and up-to-date. As well as following good practice with the display, you may also have to follow specific rules from particular privacy laws.

Let's take a look at some of these commonly-seen mistakes and how you can avoid or correct them.


Not Including Legally-Required Information

Not Including Legally-Required Information

Depending on both you and your users, you could be affected by several different privacy laws. This is particularly the case for websites, which have an international component.

Here are five key laws that may affect your privacy practices and in turn your Privacy Policies.

Children's Online Privacy Protection Act (COPPA)

When Does it Apply?

COPPA applies if either your organization or any users are based in the US and if either you aim your site (and services) towards under-13s or you know under 13s are using it.

What Does It Mean For My Privacy Policy?

The legislation says you must get parental permission before collecting any personal data about somebody aged under 13. You must only keep data for as long as necessary to use it for the reason you gave for collecting it, and you cannot demand unnecessary information as a condition of using the service.

You must include a clear description of what data you collected about under-13s, including how you use it and whether you disclose it.

This extract from Disney's COPPA policy clearly details the data it collects:

Disney Children's Online Privacy Policy: Excerpt of Information collected and used clause

If you don't address these issues in your Privacy Policy, especially if you have a site aimed towards children, you will be violating COPPA.

The General Data Protection Regulation (GDPR)

When Does It Apply?

The GDPR applies if you are operating in a European Union country, if your customer/user is in a European Union country, or if data is physically processed in a European Union country. The rules apply if you process data, or if you control it (meaning you decide what is collected and processed).

What Does It Mean For My Privacy Policy?

The GDPR lists several specific points that must be included in your GDPR-compliant Privacy Policy:

  • Details of your data protection officer, if applicable
  • Which of six legal bases you are using to process the data
  • Whether you'll transfer the data to a non-European Union country
  • Whether you'll perform "automated decision making" using the data

This clause from The Independent explains the company's legal basis for processing data:

Independent Privacy Notice: Legal bases clause

Check out our template linked above to see more examples and how the other two points can be satisfied with short clauses.

Personal Information Protection and Electronic Documents Act (PIPEDA)

When Does It Apply?

Generally, PIPEDA applies to private-sector organizations in Canada that use personal data "in the course of a commercial activity." Key exemptions include organizations in provinces such as Alberta, British Columbia and Quebec that have similar measures in their local laws. However, this exemption doesn't cover data crossing national or provincial borders.

What Does It Require?

You must follow 10 fair information principles covering issues such as consent, limiting use, and safeguarding. These aren't merely general principles but rather have detailed descriptions in the law itself.

What Does It Mean For My Privacy Policy?

The eighth principle, "openness," says you must give clear information about your privacy practices, including:

  • Who is responsible for data protection in your organization.
  • What data you share with third parties.
  • How people can access the data you store about them (including contact details.)
  • How people can complain about you breaching PIPEDA.

California Consumer Privacy Act (CCPA)

When Does It Apply?

The CCPA took effect in January 2020 though enforcement may not start until July 2020. The law covers for-profit organizations doing business in California as long as they meet annual thresholds for either revenue ($25 million), personal data handling (50,000 people, households or devices) or business type (half or more revenue coming from selling personal data).

What Does It Require?

If the CCPA applies, you must uphold six consumer rights. These include informing them of what data you hold about them, whether you share the data, and allowing access to their data without charge. Consumers also have the right to demand you delete their data and that you stop selling it. Finally, they must be able to exercise the rights without you restricting services or changing prices.

What Does It Mean For My Privacy Policy?

The CCPA specifically requires several points in your Privacy Policy, starting with an outline of the consumer's rights and how to exercise them.

Next, you must list the data you collect, sell and disclose. In each case these must be a list of the specific categories (set down in the legislation) in which you've handled data in the previous 12 months.

Finally, both your Privacy Policy and your homepage must link to a web page titled "Do Not Sell My Personal Information." This page must detail how the user can demand you do not sell their data; you can't require them to create an account to do this.

Crescent Cove's "Do Not Sell My Personal Information" page covers this information concisely, though the language could be clearer:

Screenshot of Crescent Cove Do Not Sell My Personal Information page

California Online Privacy Protection Act (CalOPPA)

When Does It Apply?

CalOPPA applies to any commercial website or online service (including mobile apps) that collects data about California citizens. The law applies regardless of where the site or service is based.

What Does It Require?

CalOPPA says that if you collect personally identifiable information, you must have and display a Privacy Policy.

What Does It Mean For My Privacy Policy?

Under CalOPPA, your Privacy Policy must disclose:

  • What types of personal data you collect
  • How users can review and correct the data you collect about them
  • If and when you've changed or updated your Privacy Policy
  • How you response to "Do Not Track" signals from web browsers
  • Whether any third parties collect data through your site, for example through cookies, ad trackers, plug-ins and similar measures

Apple's Privacy Policy has a dedicated page for California that addresses the Do Not Track issue:

Apple California Privacy Disclosures: DNT clause

Make sure your Privacy Policy is clearly labeled as such and easy to locate on your website or within your mobile app.

Using Complicated Language

Using Complicated Language

Several privacy laws specifically require that you write your Privacy Policy so there's a reasonable likelihood that users and customers can understand it. For example, PIPEDA says information about your privacy practices:

"shall be made available in a form that is generally understandable."

COPPA says a privacy notice:

"must be clearly and understandably written, complete, and must contain no unrelated, confusing, or contradictory materials."

The GDPR says any information you give users about their privacy rights must be:

"in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child."

Even when a law doesn't specifically require you to do so, writing in the clearest language possible makes sense. It creates a positive impression and trust for the reader. It also shows you are following the spirit of privacy laws by making the user's rights clear, rather than just complying with the precise letter of the law. This could help your case if there's any dispute about your Privacy Policy and procedures.

Balancing the need for legal precision and completeness with the need to be easily understood isn't always easy, but the following tips may help:

  • List the key points at the start of the policy if it's a particularly long document.
  • Use everyday words unless there's a specific legal term that you must use. If so, explain its meaning.
  • Use shorter sentences where possible.
  • Use "you" and "we" to make the policy feel more approachable. (If necessary, define what "we" refers to at the start of the policy.)
  • Use bullet point lists when making multiple related points.
  • Prefer the active voice ("we will store your data") rather than the passive voice ("your data will be stored.") This often makes sentences clearer and reduces confusion about who is doing what.

This policy from Unilever uses everyday language and "you" and "we":

Screenshot of Unilever Privacy Notice main page

You can see how shorter sentences separated with spaces helps with readability. The linked sections in the form of questions make it easy for readers to go directly to sections of the Privacy Notice that they're curious about. All of these little things add up to make the notice more user-friendly, approachable and easy to navigate.

Not Displaying the Policy Appropriately

Not Displaying the Policy Appropriately

Even the best Privacy Policy isn't effective if people don't read it. While you can't force users to read every word, you should make sure they have a reasonable opportunity to see the policy. Again, it's a situation where doing so can be either a legal requirement or simply good practice.

Some specific requirements include:

COPPA: The privacy notice must be online in a way that demonstrates you "make reasonable efforts, taking into account available technology, to ensure that a parent of a child receives direct notice of the operator's [privacy] practices..." You must link to your Privacy Policy from the home page and in every area of the site where you collect data from children.

CalOPPA: You must "conspicuously" post your Privacy Policy on your website. Acceptable ways to do this include:

  • Including an icon on your website that links to the Privacy Policy. The icon must be distinguishable from the background and include the word "Privacy."
  • Including a text link to the Privacy Policy on your website. The link must be "so displayed that a reasonable person would notice it" and must stand out from surrounding text, for example by being in larger type or a different color. The word "Privacy" should be included.

CCPA: You must inform users of their rights "at or before the point of collection." Both your website and Privacy Policy must have a "clear and conspicuous link" to your dedicated "Do Not Sell My Personal Information" page.

The most common way to display a Privacy Policy is as a dedicated web page, linked to from elsewhere on the site (typically the footer).

IBM includes a "Privacy" link in the footer menu so it appears on every page:

IBM website footer with links

For added reassurance that a user really has had a chance to see the notice, you can put it in a pop-up screen and link to this screen right at the point when a user is about to provide personal information. This approach works better when your policy is relatively concise. It doesn't always work well on mobile devices.

Healthline includes a link to its Privacy Policy at the stage when users sign up to a newsletter:

Healthline email sign-up form with Privacy Policy link

The key thing to remember is to make your Privacy Policy easy to notice, easy to access and there when people would want it to be.

Not Getting Clear Consent

Some privacy laws specifically require that you get active, clear or meaningful consent from a user to collect certain types of data. This means you can't merely rely on the idea that it's fine to collect data unless a user specifically objects. For example:

PIPEDA requires "knowledge and consent" though there's some leeway for situations where a user should have "reasonable expectations" that you'll use data in a particular way. The legislation gives the example that you don't need specific consent to contact a magazine subscriber to ask if they want to renew.

COPPA requires "verifiable parental consent" before collecting data from children. This means making reasonable efforts, taking into account available technology, to confirm the consent comes from the child's parent.

The GDPR puts the burden on you to demonstrate the user has consented (in advance) to the processing of certain types of personal information.

A common way to confirm consent is to clearly explain that clicking a button gives consent. To do this effectively you'll need to display it so the user is sure to see it before they click on the button. Linking from here to the full Privacy Policy can work well.

For added assurance a user is giving active consent, use a separate checkbox. You need to clearly label the checkbox to show that the user is giving consent. For even more assurance, you can include wording to say the person "understands" what giving consent means. Do not "pre-tick" a checkbox. Instead, always require that the user actively tick the box.

Where relevant, give users the opportunity to consent to some forms of data collection and use while withholding others. You could do this through multiple checkboxes.

This example from Microsoft combines several of the suggested techniques. It uses the "Next" button as a way to show understanding and acceptance of the privacy policy, with an opportunity to review the policy. It also has a separate checkbox to consent to receiving optional information through email.

Microsoft account sign-up form with checkbox

When it comes to getting consent for your Privacy Policy, remember to:

  • Request consent before or at the time of collecting personal information
  • Make it clear to your users that by taking some action (clicking Next, checking a box, placing an order, creating an account, etc.) they're going to be agreeing to your Privacy Policy.
  • Link your Privacy Policy to the place where you're requesting consent so people can refer to it before making the decision to continue.

Not Updating Privacy Policies

Not Updating Privacy Policies

The entire point of a Privacy Policy is that users can make informed decisions about providing their personal data to a company based on its policies. Outdated Privacy Policies that don't accurately convey business privacy practices undermine this principle and could even make your compliance with privacy laws invalid.

At the very least you should update your Privacy Policy as soon as anything important changes. This could mean a delay with reprinting paper documents, but generally you should update online policies immediately. You may want to note recent significant changes at the start of the Privacy Policy.

In some cases you are legally required to tell users if your Privacy Policy changes in a way that could affect the consent they gave, for example if you now use data for a different purpose or if you now pass it on to a third party. For example:

PIPEDA says you must get fresh consent if you change the way you use data.

The GDPR's "meaningful" consent only covers processing data for the specified purposes which you listed when getting the consent. Before using the data for other purposes, you must get fresh consent. You can't merely rely on telling the user you've changed your policy.

CalOPPA says your policy must say when and how you've changed it, if you do change it.

The CCPA says you must update your Privacy Policy at least once every 12 months. This will mean updating the list of categories of personal information that you've collected, sold or disclosed in the previous 12 months.

This extract from The Guardian's Privacy Policy lists updates and changes. It might work better with the most recent changes listed first so that users don't have to scroll to the end to see what's changed since they last read the policy:

The Guardian Privacy Policy: Changes to this Privacy Policy clause excerpt

Summary

Let's recap what you need to do to avoid common mistakes when writing an effective and legally valid Privacy Policy.

  • Check all of the laws that might apply
  • Use clear language so that users have a reasonable opportunity to understand the policy
  • Make the policy readily available, for example with prominent links across your site and again at the point that users provide personal data
  • Get clear and active consent and (with PIPEDA and the GDPR) get fresh consent before using data for a different purpose to the ones you listed when getting consent
  • Keep Privacy Policies up to date and tell users directly about any significant changes