There will be times when you need to update your Privacy Policy to ensure it's inline with the way your business operates and complies with all current laws and legislation. When you update your Privacy Policy it's important to inform your users that you've done so. This is especially true if you are making a material change to the type of data you collect or the way you process data.

If you have made any major changes to your policy, you may wish to obtain renewed consent from your website or app users.

This article will cover why you need an update notice, what to include in one and how to send the update.


Why Do You Need to Send an Update Notice?

Why Do You Need to Send an Update Notice?

It's important to update users whenever you make changes to your Privacy Policy in order to comply with laws and regulations. Even if the nature of your update does not require a notice to be sent by law, it's still important to send a notice to demonstrate that your business is trustworthy and cares about the privacy of its users.

In addition, it may help avoid future disputes whereby a user says they are unhappy with an element of the policy that they weren't made aware of. The user may have agreed to your previous Privacy Policy, however if you failed to notify them of any changes that affect them they could potentially take legal action.

Let's consider these reasons in more detail:

To Comply with the Law

Not only is it good business practice to provide users with an update notice, but it's often a legal requirement.

For example, if your business has customers within the European Union (EU) it will be subject to the General Data Protection Regulation (GDPR), which requires companies to inform users of updates to their legal agreements.

The GDPR came into effect on May 25, 2018 and the regulation applies to any business that allows EU citizens to use their products or services, even if the business is not based in the EU.

In addition, U.S. federal law may require companies to provide users with Privacy Policy update notifications, dependent on which types of data the business collects and the nature of the policy change. Even without a law directly requiring a notice, you may still be legally required to produce a notice due to the indirect need to be transparent about your privacy practices.

Federal law states that businesses must not be involved in any deceptive business practices. Making a material change to your Privacy Policy and failing to inform users of the same could be classed as deceptive. Even if legal authorities didn't view it as deceptive, your customers might think you were trying to hide the update from them, which could severely damage your business's reputation.

Depending on which state your business operates from, there may be state laws that demand users receive an update notification.

Freeletics updated its Privacy Policy in accordance with the GDPR and advised users of the same via the following email:

Excerpt of Freeletics Updated Privacy Policy notice email

To Meet User Expectations

People are becoming increasingly concerned with the safety of their data when accessing websites and apps. Privacy is paramount to users, as is a company's transparency about their privacy practices.

Due to the growing awareness of privacy and data protection, users not only expect to see a Privacy Policy displayed on your website or app, but they also expect to receive a notification whenever this policy changes. Users want to know what they're agreeing to and if this changes after the fact.

Update notices make your business seem more trustworthy and enables you to build a better relationship with your customers.

To Avoid Misunderstandings and Disputes

A customer has the power to take a business to court for failing to follow its own policy. Not only would this be costly, but it could damage the company's reputation.

For example, if your Privacy Policy states that you are open and transparent with users, it wouldn't look good if you neglected to tell them about a policy update. This could trigger a lawsuit.

You can avoid this happening to your business by providing users with update notices. If you've notified your users, they cannot say they haven't been informed of the changes or say it's not what they agreed to.

An update notice also gives users the chance to opt-out or to close their account if they're dissatisfied with the changes.

Children Under 13

If your website or app is targeted towards children who are under 13 years of age or if it has the potential to appeal to them, it is essential to send a privacy notification when you update your Privacy Policy.

The Children's Online Privacy Protection Act (COPPA) requires companies to obtain the consent of the parents or guardians of children under 13 via a direct notification if the company plans to make any changes to the type of data it collects or the way it's processed. If you're updating your Privacy Policy because more data is collected, new consent needs to be sought from parents.

CBS Interactive states that parents will be notified of material changes and requests parents keep their contact information up to date for this reason:

CBS Interactive Childrens Privacy Policy: Changes to the Privacy Policy clause

Additionally, Article 12 of the GDPR states that a privacy notice should be written in clear and simple language - particularly when the notice is addressed to children.

What Should You Include in an Update Notice?

What Should You Include in an Update Notice?

You should always include a link to your fully updated Privacy Policy. It's also best to Include a snapshot or summary of the changes you've made to the policy. For example, you could give a brief overview of any updated points or provide section numbers to help users find the relevant updates.

Users will appreciate a paragraph which states how the changes will affect them. If you've made a change which enhances the privacy of the user this is a great opportunity to build trust.

You may also wish to include why you've made the changes. Is it due to changes in the way your company operates or has a new law come into effect?

You should also state the date the changes come into effect. Ideally you should give users at least 2 weeks notice. If this is not possible, you can give a shorter notice period or state that the change has already come into effect.

Lastly, follow the GDPR guidance when writing your notice. Article 12 states that privacy notices must be 'concise, transparent, intelligible, easily accessible and free of charge.'

Indeed provided a link to its full Privacy Policy followed by a summary of key changes in the notice it emailed to its users:

Excerpt of Indeed Updated Privacy Policy notice email

Groupon included the date its updated Privacy Policy would come into effect in an emailed update notice:

Excerpt of Groupon Updated Privacy Policy notice email

Include as much information as possible and as clearly as possible so your users are able to see exactly what's changing and get a general overview of how it will affect them.

How Should You Send The Update Notice?

How Should You Send The Update Notice?

Decide in advance how you will send future updates so that you can include a clause in your Privacy Policy which states what method(s) you will use to notify users of changes.

New Scientist's Privacy Policy informs users how they will be notified of changes, how much notice users will be given before changes take effect and how users can notify the company if they do not agree to the changes.

The company states that it will inform users of changes via email or via a website update. The policy makes it clear that changes take effect 7 days from the email or website notification. If users do not agree they must notify the company and stop using their services:

New Scientist Privacy Policy: Changes to this Policy clause

Unlike the above policy, Glossier doesn't state that it uses emails to send update notices. Instead the company says it will post the updated Privacy Policy on its website and provide an additional notice if the change is material:

Glossier Privacy Policy: Changes to our Privacy Policy clause

Expedia also takes a different route. The company doesn't commit to sending an update notice in a particular format, but the Privacy Policy states that Expedia will take 'appropriate measures' to inform users of changes and that the measures will be 'consistent with the significance of the changes we make.'

The policy also states that the company will obtain renewed consent if any material changes are made to the Privacy Policy:

Expedia UK Privacy Policy: Changes to this Notice and How to Contact Us clause

Include a clear and easy to understand clause in your Privacy Policy that lets users know what they can expect when you update your Policy.

Different Methods of Sending an Update Notice

Different Methods of Sending an Update Notice

There are a few different methods of sending a Privacy Policy update notice. The best way is to combine these methods so that users don't miss your update. This is particularly true if the change is significant.

Let's review some of the methods:

Email Notice

An email could be sent at the same time the change comes into effect, or prior to the change coming into effect.

It's best to send the email before the change and to advise users of the date the updated policy comes into effect. This gives users a chance to review the changes to see if they're happy with them prior to them taking effect.

An advantage of emailing your update notice to users is that it makes your business seem open and proactive. Another advantage is that the email provides you with an opportunity to include a concise summary of the changes you've made.

A disadvantage is that in order to send an email update, you'll need a list of your users' email addresses.

YouTube recently sent an email to announce changes to its Terms of Service. The subject line makes it clear that the email contains important information:

YouTube email showing Changes to Terms of Service as subject line

The content of the email included a summary of key changes with a link to the full updated policy:

YouTube email notice for updated Terms of Service

The email also advised users when the changes would come into effect:

YouTube email notice for updated Terms of Service: Effective date section

As a consequence of the GDPR coming into effect, website and app users were inundated with emails update notices in May of 2018. Many of these emails offered customers the chance to opt-in or out after reviewing the updated Privacy Policies.

Retailer Collectif sent users an email explaining why it had updated its policies, when the changes would take effect and advising users to unsubscribe if they were unhappy with the changes:

Collectif email notice for updated Privacy Policy and Terms of Use

Pop-up Notice

A pop-up notice is a great way to inform users about your updated Privacy Policy.

The main advantage is that the notice will be the first thing users see when arriving at your site. This gives them the chance to leave the site or close the app if they're unhappy with the policy revision.

Make sure you include a link to your full policy in the pop-up. You may wish to add an 'accept' button or a tick box so there can be no doubt that users have consented to your policy and its updates.

One disadvantage of pop-up notification is that there probably won't be enough space to include a summary of key changes. However, this isn't essential and is easily rectified by including an update summary at the top of your Privacy Policy.

Candy Crush Saga updated its Privacy Policy and informed users of this via a pop-up on the app. The app also ensured that users agreed to the changes by providing an 'accept' button for users to check before they were able to resume the game:

Candy Crush app: Notice of updated terms with Accept button

News Page or Blogpost

A further option is to post a news update or blogpost on your website advising users of the changes to your Privacy Policy.

The advantages of this is there will be space to include a summary of key changes and it doesn't require you to know user's email addresses.

A disadvantage is that users might not check your blog or news page regularly. A user could come across an old blogpost about a previous update and mistakenly believe the post related to a current update. To avoid this, make sure you clearly mark the date on the blogpost.

In addition to sending out an email update, This Web Host created a blogpost when the company updated its Privacy Policy in accordance with the GDPR. To avoid any confusion the company added a warning box which states how many days old the blogpost is in bold letters. This ensures users know this may not be the most recent update:

This Web Host Blog: Article for Updated Privacy Policy for GDPR

Overall, the best method depends on the significance of the update you've made to your Privacy Policy. If you have made a major update to your policy it's advisable to email your users if you have their email addresses.

Alternatively, add a pop-up notice to your website. If you want to make sure users agree to the updated policy, a pop-up coupled with an 'Accept' button is the way to go.

For a small update you may wish to add a short blogpost to your website.

It's advisable to combine methods to ensure you have done everything you can to notify users of your update. This will help to prevent user grievances. Plus, if a user did bring a lawsuit, you would be able to show the court that your users weren't just informed of the updates, but that you also made them as accessible as possible.

Summary

It's essential to inform users about changes to your Privacy Policy, particularly material changes. Failure to do so could make your business appear less trustworthy or deceptive. In addition, not providing an update notice could be breaking the law.

If your business serves customers within the EU it's essential to send update notices as the GDPR applies to your business. Even if the GDPR doesn't apply, you need to make sure that you don't fall foul of federal or state law.

When sending an update notice it's good practice to include a short summary of the changes you've made and advise users of the date the new policy will take effect. You may also wish to include how the changes will affect users and why you've made the changes.

Ideally, you should give users at least two weeks notice of the updates taking effect. You may wish to shorten this notice period, or not give any notice, if the change is smaller.

Update notices can be sent via email, displayed in a pop-up or written in a blogpost. It's a good idea to combine these methods if you've made a material change to your Privacy Policy.

You should also consider whether you need users to consent to changes you've made. This is important if you've made substantial changes to your Privacy Policy or updates that users may not be happy with.

You can get renewed consent through a tick box or 'Accept' button on a pop-up notice. You could also advise users to unsubscribe, opt-out or contact your company if they're dissatisfied with any changes.