Most mistakes with Privacy Policies fall into two categories. First, your policy might not include required information. This is particularly likely if you aren't aware of all of the multiple laws that affect you and your customers.
Secondly, you might not display the information in the best way, for example by not making it clear, prominent and up-to-date. As well as following good practice with the display, you may also have to follow specific rules from particular privacy laws.
Let's take a look at some of these commonly-seen mistakes and how you can avoid or correct them.
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
- 1. Not Including Legally-Required Information
- 1.1. Children's Online Privacy Protection Act (COPPA)
- 1.1.1. When Does it Apply?
- 1.2. The General Data Protection Regulation (GDPR)
- 1.2.1. When Does It Apply?
- 1.3. Personal Information Protection and Electronic Documents Act (PIPEDA)
- 1.3.1. When Does It Apply?
- 1.3.2. What Does It Require?
- 1.4. California Consumer Privacy Act (CCPA/CPRA)
- 1.4.1. When Does It Apply?
- 1.4.2. What Does It Require?
- 1.5. California Online Privacy Protection Act (CalOPPA)
- 1.5.1. When Does It Apply?
- 1.5.2. What Does It Require?
- 2. Using Complicated Language
- 3. Not Displaying the Policy Appropriately
- 4. Not Getting Clear Consent
- 5. Not Updating Privacy Policies
- 6. Summary
Not Including Legally-Required Information
Depending on both you and your users, you could be affected by several different privacy laws. This is particularly the case for websites, which have an international component.
Here are five key laws that may affect your privacy practices and in turn your Privacy Policies.
Children's Online Privacy Protection Act (COPPA)
When Does it Apply?
COPPA applies if either your organization or any users are based in the US and if either you aim your site (and services) towards under-13s or you know under 13s are using it.
The legislation says you must get parental permission before collecting any personal data about somebody aged under 13. You must only keep data for as long as necessary to use it for the reason you gave for collecting it, and you cannot demand unnecessary information as a condition of using the service.
You must include a clear description of what data you collected about under-13s, including how you use it and whether you disclose it.
This extract from Disney's COPPA policy clearly details the data it collects:
The General Data Protection Regulation (GDPR)
When Does It Apply?
The GDPR applies if you are operating in a European Union country, if your customer/user is in a European Union country, or if data is physically processed in a European Union country. The rules apply if you process data, or if you control it (meaning you decide what is collected and processed).
- Details of your data protection officer, if applicable
- Which of six legal bases you are using to process the data
- Whether you'll transfer the data to a non-European Union country
- Whether you'll perform "automated decision making" using the data
This clause from The Independent explains the company's legal basis for processing data:
Check out our template linked above to see more examples and how the other two points can be satisfied with short clauses.
Personal Information Protection and Electronic Documents Act (PIPEDA)
When Does It Apply?
Generally, PIPEDA applies to private-sector organizations in Canada that use personal data "in the course of a commercial activity." Key exemptions include organizations in provinces such as Alberta, British Columbia and Quebec that have similar measures in their local laws. However, this exemption doesn't cover data crossing national or provincial borders.
What Does It Require?
You must follow 10 fair information principles covering issues such as consent, limiting use, and safeguarding. These aren't merely general principles but rather have detailed descriptions in the law itself.
The eighth principle, "openness," says you must give clear information about your privacy practices, including:
- Who is responsible for data protection in your organization.
- What data you share with third parties.
- How people can access the data you store about them (including contact details.)
- How people can complain about you breaching PIPEDA.
California Consumer Privacy Act (CCPA/CPRA)
When Does It Apply?
The CCPA took effect in January 2020 and was amended in part by the CPRA. The law covers for-profit organizations doing business in California as long as they meet annual thresholds for either revenue ($25 million), personal data handling (100,000 people or households) or business type (half or more revenue coming from selling or sharing personal data).
What Does It Require?
If the CCPA (CPRA) applies, you must uphold a number of consumer rights. These include informing them of what data you hold about them, whether you share the data, and allowing access to their data without charge. Consumers also have the right to demand you delete their data and that you stop selling it. Finally, they must be able to exercise the rights without you restricting services or changing prices.
Next, you must list the data you collect, sell and disclose. In each case these must be a list of the specific categories (set down in the legislation) in which you've handled data in the previous 12 months.
Crescent Cove's "Do Not Sell My Personal Information" page covers this information concisely, though the language could be clearer:
California Online Privacy Protection Act (CalOPPA)
When Does It Apply?
CalOPPA applies to any commercial website or online service (including mobile apps) that collects data about California citizens. The law applies regardless of where the site or service is based.
What Does It Require?
- What types of personal data you collect
- How users can review and correct the data you collect about them
- How you response to "Do Not Track" signals from web browsers
- Whether any third parties collect data through your site, for example through cookies, ad trackers, plug-ins and similar measures
Using Complicated Language
"shall be made available in a form that is generally understandable."
COPPA says a privacy notice:
"must be clearly and understandably written, complete, and must contain no unrelated, confusing, or contradictory materials."
The GDPR says any information you give users about their privacy rights must be:
"in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child."
Balancing the need for legal precision and completeness with the need to be easily understood isn't always easy, but the following tips may help:
- List the key points at the start of the policy if it's a particularly long document.
- Use everyday words unless there's a specific legal term that you must use. If so, explain its meaning.
- Use shorter sentences where possible.
- Use "you" and "we" to make the policy feel more approachable. (If necessary, define what "we" refers to at the start of the policy.)
- Use bullet point lists when making multiple related points.
- Prefer the active voice ("we will store your data") rather than the passive voice ("your data will be stored.") This often makes sentences clearer and reduces confusion about who is doing what.
This policy from Unilever uses everyday language and "you" and "we":
You can see how shorter sentences separated with spaces helps with readability. The linked sections in the form of questions make it easy for readers to go directly to sections of the Privacy Notice that they're curious about. All of these little things add up to make the notice more user-friendly, approachable and easy to navigate.
Not Displaying the Policy Appropriately
Some specific requirements include:
IBM includes a "Privacy" link in the footer menu so it appears on every page:
For added reassurance that a user really has had a chance to see the notice, you can put it in a pop-up screen and link to this screen right at the point when a user is about to provide personal information. This approach works better when your policy is relatively concise. It doesn't always work well on mobile devices.
Not Getting Clear Consent
Some privacy laws specifically require that you get active, clear or meaningful consent from a user to collect certain types of data. This means you can't merely rely on the idea that it's fine to collect data unless a user specifically objects. For example:
PIPEDA requires "knowledge and consent" though there's some leeway for situations where a user should have "reasonable expectations" that you'll use data in a particular way. The legislation gives the example that you don't need specific consent to contact a magazine subscriber to ask if they want to renew.
COPPA requires "verifiable parental consent" before collecting data from children. This means making reasonable efforts, taking into account available technology, to confirm the consent comes from the child's parent.
The GDPR puts the burden on you to demonstrate the user has consented (in advance) to the processing of certain types of personal information.
For added assurance a user is giving active consent, use a separate checkbox. You need to clearly label the checkbox to show that the user is giving consent. For even more assurance, you can include wording to say the person "understands" what giving consent means. Do not "pre-tick" a checkbox. Instead, always require that the user actively tick the box.
Where relevant, give users the opportunity to consent to some forms of data collection and use while withholding others. You could do this through multiple checkboxes.
- Request consent before or at the time of collecting personal information
Not Updating Privacy Policies
PIPEDA says you must get fresh consent if you change the way you use data.
The GDPR's "meaningful" consent only covers processing data for the specified purposes which you listed when getting the consent. Before using the data for other purposes, you must get fresh consent. You can't merely rely on telling the user you've changed your policy.
CalOPPA says your policy must say when and how you've changed it, if you do change it.
- Check all of the laws that might apply
- Use clear language so that users have a reasonable opportunity to understand the policy
- Make the policy readily available, for example with prominent links across your site and again at the point that users provide personal data
- Get clear and active consent and (with PIPEDA and the GDPR) get fresh consent before using data for a different purpose to the ones you listed when getting consent
- Keep Privacy Policies up to date and tell users directly about any significant changes