9 Common Privacy Policy Issues to Avoid

Masha Komnenic CIPP/E, CIPM, CIPT, FIP

written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP August 28, 2023

Generate an Issue-Free Privacy Policy
9-Common-Privacy-Policy-Issues-to-Avoid - Copy-01

Even though all privacy policies seem similar at first glance, they actually require a lot of work to create and customize because businesses collect, process, and use personal information in unique ways.

Plus, different laws and regulations apply to different entities.

Whether you’re about to make your privacy policy for the first time or need to update an existing one, there are nine common privacy policy issues you must avoid.

Let’s dive into them.

Table of Contents
  1. Spending Too Little Time Preparing
  2. Never Updating Your Privacy Policy
  3. Misstating Your Data Processing Activities
  4. Misunderstanding What Laws Apply to Your Business
  5. Using Complicated Language
  6. Not Reviewing Carefully
  7. Not Getting Clear Consent From Users
  8. Misplacing It on Your Site or App
  9. Using a Non-Reputable Generator or Template
  10. Summary

Spending Too Little Time Preparing

When making a privacy policy, try not to rush through the drafting and preparation phase.

Don’t get me wrong, I understand why business owners sometimes do this — we all want the process of creating necessary legal documents to be quick, easy, and painless.

But if you don’t spend enough time researching and drafting your privacy policy upfront, it will cause problems that may come back to haunt you later on. That pain could manifest as massive legal fines and negative backlash from your consumers.

Even if you plan on using a lawyer or a comprehensive managed solution, like our Privacy Policy Generator, there are still several things that you, as the business owner, need to prepare.

Specifically, you must determine:

  • What data privacy laws apply to your business?
  • What personal data does your website, app, or platform collect from users?
  • Why do you collect the data, and how do you use it?
  • How will you store the data to keep it safe and secure?
  • Do you share the data with any third parties (and do they follow the same privacy guidelines as your business)?

Once you know your answers to these questions, it becomes easier to use a privacy policy generator, talk to a lawyer, or even write your own privacy policy.

Never Updating Your Privacy Policy

Another privacy policy issue you must avoid is neglecting to update or change it after posting it on your website or app.

Privacy policies are living documents that must accurately reflect your current data collection and processing activities. Otherwise, it directly violates data privacy laws and misleads the people who visit and use your platform.

For example, legislation like the California Consumer Privacy Act (CCPA) requires businesses to update their privacy policy at least once every twelve months.

Other laws, including the General Data Protection Regulation (GDPR), hold you financially accountable if your policy details are inaccurate or inconsistent with reality.

When it comes to your consumers, trust me, you don’t want to lose their trust — look at these alarming data privacy statistics:

  • 39% of users would likely turn away from a company that required them to provide highly personal information. (Akamai)
  • 1 in 5 users always or often reads a company’s privacy policy before agreeing to it. (Pew Research Center)
  • 48% of users have stopped buying from a company over privacy concerns. (Tableau)
  • 33% of users have terminated relationships with companies over data. (Cisco)
  • 71% of the world’s countries now have data privacy legislation in place, and another 9% have drafts moving through their governments. (UN)

Taking time today to establish a process for updating your privacy policy can help your business keep up with the fast pace of data privacy legislation.

Experts Agree You Need a Dynamic Privacy Policy

When we asked data privacy attorney Anthony E. Saurini, Esq, about the biggest mistakes businesses should avoid when making a privacy policy, he brought up the importance of building a policy that can adapt to the future.

See precisely what he had to say.

“The biggest mistake business owners should avoid when creating a global privacy policy is failing to fully anticipate their future regulatory needs. Regulatory agencies in all regions of the world have begun to treat an individual’s personal data as an asset owned by that individual. In the United States alone, a multitude of individual states have recently passed data privacy legislation, and at the Federal level, H.R.8152 – the American Data Privacy and Protection Act was recently introduced in Congress. Business leaders are already adapting to this new era of data minimization and privacy by design as it unfolds worldwide by investing in their future data privacy compliance needs today.” – Anthony E. Saurini, Esq., Data Privacy Attorney, CIPP/U.S.

Misstating Your Data Processing Activities

When you make a privacy policy for your business, you must avoid misstating or being dishonest about your data processing activities. In my opinion, this is one of the worst mistakes you could make.

Regulators and enforcement agencies are constantly looking for any incongruence between a company’s actions and what its privacy policy says, especially if any consumers ever submit complaints (and under laws like the GDPR, it’s their right to do so).

An example of this happened in 2021 to Meta when Ireland’s Data Protection Commission fined WhatsApp €225 million ($247 million) for using an unclear, non-transparent privacy policy regarding its use of user data.

Believe it or not, that’s not even the largest GDPR fine ever issued.

Ensure your privacy policy accurately reflects how you collect and use personal data, and avoid modeling it after a competitor or copying and pasting it from another website. Otherwise, you might end up literally paying for your mistakes.

Attorney Nadine Talaat Issues the Same Warning

When we spoke with data privacy expert and attorney Nadine Talaat about the top mistakes business owners should avoid when making their privacy policies, she immediately mentioned misstating privacy practices.

Read exactly what she had to say on the matter below.

“The top mistake business owners should be mindful to avoid when they create a privacy policy for their website or app is aligning their privacy program to their privacy policy and articulating what data is being collected. The privacy policy must coincide with the business’ privacy program. This important step allow for both business compliance and the user’s privacy rights. There must be an understanding of what data is being collected, processed, and a clear purpose. Business owners should be transparent on what personal data they are collecting, including what data third parties are collecting through their website or app. To do so, they need awareness of the applicable privacy regulations in their geographic market, whether this is within the United States or worldwide. Although, the United States does not have an overarching federal data privacy regulation, there are regulations in place for several states including California’s CPRA and Virginia’s VCDPA. Understanding the applicable regulations and implementing them correctly will build trust from the user. Overall, business owners should be knowledgeable and implement appropriate safeguards for privacy compliance measures.” – Nadine Talaat, Attorney, Data Privacy Professional, CIPP/U.S., CIPP/E

Misunderstanding What Laws Apply to Your Business

It’s essential that you don’t misunderstand what data privacy laws apply to your business and impact your privacy policy. You are wholly liable for abiding by those regulations.

Most data privacy laws have broad scopes and affect businesses outside the regions where the legislation is in force. In other words, companies not located in Europe still fall under the GDPR, just like entities outside of California can fall under the jurisdiction of the CCPA.

When determining the data protection legislation that affects your company, it may also help if you answer the following questions:

  • What jurisdiction are you in?
  • Where are your customers located?
  • What industry or industries are you in?
  • Are there any industry-specific laws you must comply with?

Below, I included the legal threshold for 12 of the most significant data privacy laws worldwide and details about the penalties for violating those laws.

Read through these carefully and take note of the ones that apply to you.

Data Privacy Law Legal Threshold Penalties for Violating the Law
General Data Protection Regulation (GDPR) Any organization that collects, processes, or stores the personal data of individuals located in the European Union (EU) or European Economic Area (EEA).
  • Maximum penalty of €24 million ($23 million) or 4% of their annual global turnover (whichever is higher)
  • Less severe infractions top out at €10 million ($12 million) or 2% annual global turnover (whichever is higher)
The Data Protection Act (UK GDPR) Any organization offering goods or services to UK citizens that processes their personal data.
  • Up to £17.5 million or 4% of the global revenue
  • Or up to £8.7 million or 2% of the worldwide turnover, whichever is greater
Amended California Consumer Privacy Rights Act (CCPA/CPRA) For-profit entities that do business in California and meet one of the following:

  • Earned $25 million in gross annual revenue as of January 1 from the previous calendar year
  • Annually buys, sells, or shares the personal data of 100,000 or more California consumers or households
  • Derived 50% or more gross annual revenue from selling or sharing personal information
  • $2,500 per non-intentional violation
  • $7,500 per intentional violation or for offenses involving the personal information of minors under age 16
  • Consumers can pursue private action against a business for the following reasons:
    • Nonencrypted and non-redacted personal information is compromised
    • Email addresses in combination with a password or other details permitting access into an account are breached
California Online Privacy Protection Act (CalOPPA) Any website with California visitors falls under the threshold of this law.
  • $2,500 per violation
Virginia Consumer Data Privacy Act (VCDPA) Entities doing business in Virginia or targeting Virginia residents who meet one of the following:

  • Controls or processes personal data from 100,000+ consumers
  • Derives 50% of gross revenue from the sale of personal data and processes information from at least 25,000 consumers
  • Up to $7,500 per violation
Connecticut Data Protection Act (CTDPA) Any data controller or processor who conducts business in Connecticut or produces products or services targeted at Connecticut consumers and any controller or processor who meets one or more of the following:

  • Processes the personal data of at least 100,000 consumers (excluding data processed solely for payment transactions), or
  • Processes the personal data of at least 25,000 consumers and derives more than 25% of their gross annual revenue from the sale of personal data
  • Up to $5,000 per willful violation
  • Plus equitable remedies, including restitution, disgorgement, and injunctive relief
Colorado Privacy Act (CPA) Controllers that conduct business in Colorado or who produce or deliver commercial products intentionally targeted to Colorado residents that meet one (or both) of the following:

  • Controls pr processor personal data of 100,000 consumers per year or 
  • Derives revenue or gets a discount on the price of goods or services from the sale or personal data and controls or processes the personal data of at least 25,000 consumers
  • A range from $2,000 to $20,000 per violation plus possible criminal liabilities
Children’s Online Privacy Protection Act (COPPA) Any website or online service that is directed to children under 13 that:

  • Collects, uses, or disclosed their personal information
  • Have actual knowledge that they’re collecting, using, or disclosing personal data from children under 13
  • Have actual knowledge that they’re collecting personal information from another source or website directed to children under 13
  • Up to $40,654 per violation
Personal Information Protection and Electronic Documents Act (PIPEDA) Any organization that collects and uses personal information in connection with commercial activities, including selling or sharing donors, membership, or fundraising lists, falls under PIPEDA.
  • Up to $100,000 (CAD) per violation
Australia’s Privacy Act of 1988 Any Australian government entities or organizations that have annual gross revenue of $3 million and small businesses that make less than $3 million who meet any of the following:

  • Are private sector health service providers
  • Credit reporting bodies
  • Contracted service providers for an Australian Government contract
  • Employee associations registered under the Fair Work Act 2009
  • Businesses that hold accreditations under the Consumer Data Right System
  • Businesses that choose to opt-into the Privacy Act
  • Businesses related to businesses covered by the Privacy Act
  • Businesses prescribed by the Privacy Regulation 2013
  • $2,5000 (AUD) per person, other than a corporate body
  • Up to $55,000 (AUD) for a corporate body
New Zealand’s Privacy Act of 2020 Any person, organization, or business in the public or private sector that collects and holds personal information about other people.
  • Up to $10,000
South Africa’s Protection of Personal Information Act (PoPIA) Any entity registered to South Africa that processes personal data or people from any location.

And any entities located outside of the country who outsource their data processing to South Africa.

  • Up to R10 million (about $549,000), up to 10 years in jail, or both.

Using Complicated Language

When it comes to the contents of your privacy policy, avoid using unnecessary jargon or legalese. These words and phrases commonly used by lawyers aren’t usually understandable or accessible to the average reader.

Some legislation, including the GDPR, states that entities with privacy policies not written in plain language violate the law. This requirement ensures transparency so everyone can read and understand what’s happening to their personal information and their rights over their data.

Similarly, you should avoid writing large text walls with convoluted run-on sentences.

Keep your audience in mind when making your privacy policy, and implement easy-to-read formatting techniques by taking advantage of tables, charts, graphics, and bullet lists.

Not Reviewing Carefully

Another common privacy policy issue you want to avoid is neglecting to carefully review your policy before publishing it, even if you use a reputable template or generator.

Remember in school when your teacher would remind you to check your work? Well, that logic works with your privacy policy, too.

Ensure you read through it and check for errors, inconsistencies, or anything you may have skipped or left out. You should also double-check it for grammar issues and verify its readability.

Depending on what privacy laws you fall under, you may need to obtain explicit, affirmative opt-in consent from users before data collection occurs. This requirement is notably the case with the GDPR if consent is one of your legal basis for processing personal information.

If you find yourself in this situation, make sure you present all users who access your website or app with a live link to the most current version of your privacy policy and ask them to take some kind of action to denote that they’ve both read and agree to the terms you describe.

I typically recommend using a checkbox — just be sure it’s unmarked, as pre-ticked checkboxes are not GDPR-compliant.

Misplacing It on Your Site or App

Another common problem you want to avoid with your privacy policy is misplacing it on your website or app or forgetting to post it in necessary areas.

You should always plan to post your policy in more than one spot, but the precise locations depend on what laws your business falls under.

For example, under the CCPA, you must present your users with a notice at or before the point of collection. If you store personal information during the checkout process, you must provide a link to your policy on your checkout page.

Similarly, if you collect personal data from users when they create a login or new profile on your platform, you’ll also need to put a link to your privacy policy there.

Here’s a list of the most common places to include a link to your privacy policy:

  • The footer of your website
  • A static menu in your app
  • Payment screens or checkout pages
  • New user account creation pages
  • In your marketing emails
  • Content submission forms — if you allow users to post their creations
  • On any forms that collect personal information from users

Using a Non-Reputable Generator or Template

There are so many excellent privacy compliance resources on the internet that can help you make a privacy policy for your business. But that means there’s also an equal amount of not-so-great options out there that claim to be compliant but, in reality, aren’t.

So be extra cautious when you download a free privacy policy template or try out a policy generator, and look out for these red flags:

  • 🚩 They don’t actually ask about the specific data you collect: This is a red flag because each business collects different information for different reasons. If they don’t ask you for these details, then there’s no way the privacy policy will accurately reflect what information you’re processing.
  • 🚩 There are no questions about where your users are from: Knowing where your users are located helps determine if your business falls under certain data privacy laws. If a generator isn’t asking you for this information, they’ll likely miss necessary laws you may need to follow.
  • 🚩 You can’t review the policy before paying for it: If someone tries to make you pay before you get to review your generated privacy policy, this is a major red flag. You don’t want to spend upwards of $200 without getting to review and approve the policy first. I highly suggest avoiding websites that force this upon you.
  • 🚩 There aren’t many questions for you to answer: If a generator or template feels very short, it may be because it’s missing essential clauses and elements necessary for achieving full legal compliance. Be wary of any super short policies, as they’re likely incomplete.
  • 🚩 They don’t ask about your use of internet cookies: Internet cookies qualify as personal information, and many data privacy laws require you to allow users to opt out of things like targeted advertising, often done by placing internet cookies on your users’ browsers. If a template or generator doesn’t have anything about cookies in it, then it’s probably incomplete.

Summary

You now know the top nine issues that impact privacy policies and how to prevent them when you go to make your own. By avoiding these common privacy policy issues, you’re setting your website or app up for successful and painless data privacy compliance.

Trust me, it’s worth putting in the extra effort now to avoid those hefty fines and public backlash in the future.

Make it extra easy on yourself, and use Termly’s Privacy Policy Generator to customize an agreement that perfectly suits your privacy compliance needs.

DISCLAIMER: All information, content, materials, and quotes presented in this article are for general informational purposes only and do not, and are not intended to, constitute legal advice. Information on this page may not constitute the most up-to-date legal or other information.

Masha Komnenic CIPP/E, CIPM, CIPT, FIP
More about the author

Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author

Related Articles

Explore more resources