Why Your Privacy Policy Needs to Mirror Your Privacy Practices

Even if a business doesn't have a website or a strong online presence, it's recommended to have a simple Privacy Policy. And for those that do have an online presence, a Privacy Policy is of the utmost importance.

A Privacy Policy isn't just required by the law, but also directly affects the relationship and trust your business builds with its customers. Let's unpack what a Privacy Policy is, why your business needs it, and why it must mirror your actual privacy practices to be compliant and effective.

What is a Privacy Policy and Why is it Important?

A Privacy Policy is a legal document that informs the consumer about the privacy practices of your company, such as what data it collects from its consumers, the reason for collecting it, and how it processes that data. If you share or obtain personal data from third parties, information regarding that should also go into the Privacy Policy.

Why Do You Need to Keep Your Privacy Policy Up-to-date?

Thinking that nobody reads a Privacy Policy or that you might be able to escape the consequences of not having a compliant Privacy Policy is a recipe for disaster. Here's why every business needs an up-to-date Privacy Policy.

It's Required by the Law

There are various laws that require a company to have a compliant Privacy Policy.

In the U.S., a number of states have passed privacy laws, and to comply with them, an up-to-date Privacy Policy is required. Even before that, laws like the Gramm-Leach-Bliley Act, HIPAA, and COPPA have been governing various aspects of privacy regarding the personal data a company collects in the USA.

On a global scale, there are a number of laws including the General Data Protection Regulation (GDPR) in the European Union, which applies regardless of where the business is located and requires that factual information about privacy practices be disclosed, such as via an accurate Privacy Policy.

While the particulars of these laws might be different, the common hallmark these laws share is the requirement for a compliant Privacy Policy. Any business that operates globally, or in a country that has passed a privacy law, needs to see to the fulfillment of those laws to avoid incurring fines and penalties.

People Want to Know How Their Personal Information is Handled

Privacy matters a lot to consumers, especially when it comes to their personal information like their address and contact information. Even the mere knowledge that a company is collecting personal data from a consumer, let alone sharing or selling it to third parties, is enough to deter them.

Some companies also collect sensitive data, which includes information about a person's racial or ethnic origin, their medical and biometric data, and even their sex life and sexual orientation. In the wrong hands or in case of a data breach, this information can be very dangerous to that individual and can lead to fraud and identity theft.

That's where a Privacy Policy comes in. By openly communicating the reason for collecting data and giving the consumer the option to opt out of it, your company can gain their trust. This will directly lead to more customer retention and better profits.

There are Penalties Involved For Not Having an Accurate Privacy Policy

As with any law, if a company fails to adhere to it, there will be penalties and fines involved. The fines for breaking a U.S. privacy law might be as little as $100 per violation per consumer, for the more minor violations. This can go up to $7500 per violation per consumer. Considering that a company holds the data of millions of consumers at a time, any transgression can easily incur millions of dollars in fines.

A violator of U.S. privacy laws was the makeup retailer Sephora, receiving a fine of $1.2 million for not disclosing to consumers in the Privacy Policy that the company was selling their personal information, and failing to process their opt-out requests. On a larger scale, there was the $93 million fine slapped on Google for misleading consumers on how it handled their location tracking data.

For companies operating on a global scale, the fines are significantly higher, and the GDPR is particularly strict in this regard. Since the GDPR applies to all global companies that process European consumer data, even companies not based in Europe can be fined. There is no minimum limit to a fine, with examples of fines as low as $200. But for severe violations, the fines can go up to €20 million or 4% of the company's total global turnover of the previous fiscal year.

Meta Platforms Ireland stands at the top with the biggest GDPR fine, amounting to €1.2 billion, for mishandling data when transferring it between Europe and the U.S. This is followed by the €746 million fine levied on Amazon Europe over how it uses consumer data for targeted advertising.

This is proof that having a compliant Privacy Policy is just the first step; your company needs to mirror it in practice to avoid hefty fines.

How Can You Make Your Privacy Policy Accurate?

A Privacy Policy must be kept up-to-date and compliant with all the current laws and regulations that apply to it.

Depending on where your business and its consumers are located, your Privacy Policy might need to have any or all of the following information, as well as additional information, in it for it to comply with privacy laws:

  • Information regarding the type and purpose of data collection
  • Instructions on how a consumer can access and modify their data from the business
  • List of the third parties with whom the business shares personal data
  • Instructions regarding the opt-in or opt-out mechanism of data collection
  • Contact information through which a consumer can exercise their rights

Communicate the Types of Data You Collect and Share, and the Purpose for Collecting it

Informing your consumers about the types of data you collect and why you collect it one of the main points of privacy laws, so it makes sense that this part of your policy must be kept up to date and accurate for it to be effective.

Here's an example of a clause addressing this information that would need to be updated if privacy practices changed, such as if additional information not already on the list were to be collected:

Best Buy Privacy Policy: Information collect clause

Similarly, if the way information is used ever changes, that will also need to be updated to mirror actual privacy practices. Here's another example clause of a list that could potentially need to be updated to remain accurate:

Best Buy Privacy Policy: How Use Information Collected clause

Update Consumers About the Changes Made to the Privacy Policy

Keep consumers notified of any changes made to your Privacy Policy and your company's privacy practices.

You can do this many different ways. One is by always including the date of last update of the document, as seen here:

Privacy Policy with Updated and Effective dates highlighted

You can provide access to previous versions of your Privacy Policy, as seen below. This allows your consumers to check at a glance exactly what changes are made to the Privacy Policy without reading through it in its entirety:

Screenshot of Privacy Policy updates links

You can also use an email or a pop-up notification on your website to inform users about your updated policy.

Here's an example of an email that lets users know about upcoming changes to a Privacy Policy and how it affects them:

Discord email about Privacy Policy updates

Allow Consumers to Access, Delete, and Opt Out of their Data Collection

A consumer right that is common to various privacy laws is to access and delete the data that a business holds. Additionally, as per the Utah Consumer Privacy Act, "a consumer has the right to opt out of the processing of the consumer's personal data." This clause isn't exclusive to the UCPA and also applies to other acts.

A Privacy Policy also needs to contain a link to a form or any other type of tool that allows them to opt out of their data collection.

Conduct Data Security Practices and Inform the Consumer About it

Keeping consumer data safe and secure should be every business's priority. It requires a business to have certain physical and digital safeguards in place, such as blocking unauthorized access to the data and implementing the latest encryption procedures on it.

The California Consumer Privacy Act clearly states that a business "shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure."

Once implemented, a business's Privacy Policy should inform users of the security measures in place to protect their data.

Qatar Airway's Privacy Policy openly states how dedicated it is to safeguarding consumers' personal data:

Qatar Airway Privacy Policy: Security clause

Display it Conspicuously

It's important that it's readily available and easily accessible by your consumers. Examples of some places where consumers should be able to access your Privacy Policy are:

  • On your website
  • In the emails your company sends to its consumers
  • Cookie consent notices and sign-up forms
  • Checkout and payment information collection screens

Summary

Every business should have a Privacy Policy that's compliant with the latest laws, is consumer-friendly, and is readily accessible across key touchpoints like the website, app, and emails. But even more important than that is for the business to closely mirror that policy in their practices and dealings.

A good Privacy Policy should incorporate the following elements:

  • Informs users about the data the business collects from them
  • Lets users know why the business collects this data and how they use it
  • Makes them aware if the company is sharing/selling their data to third parties
  • Guides users on how they can access, delete, and modify their data
  • Allows users to opt out of data collection and exercise their rights without the business discriminating against them

Businesses found with a non-compliant Privacy Policy, or with practices that go against their Privacy Policy, may suffer from heavy fines and penalties.