Privacy Policy Updates: Why and How To Update

Masha Komnenic CIPP/E, CIPM, CIPT, FIP

written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP August 8, 2023

Masha Komnenic CIPP/E, CIPM, CIPT, FIP

reviewed by Masha Komnenic CIPP/E, CIPM, CIPT, FIP Director of Global Privacy

Generate a Free Privacy Policy
Privacy-Policy-Updates-01

We need to talk about your privacy policy. It’s… how do I say this… outdated

Oh, you think no one reads privacy policies? You think no one cares that you’ve been using the same one since 2011? Well, the law cares.

Several data protection regulations require you to publish an updated, accurate privacy policy on your website, or you risk getting fined and facing public backlash.

There’s a high chance that at least one of those laws impacts your business.

And, as it turns out, your customers care, too. Just look at the recent data privacy statistics:

  • 67% of internet users worldwide are more concerned with their online privacy than they’ve ever been. (LegalJobs.IO)

To help you out, I put together this handy guide to teach you everything you need to know about updating your privacy policy.

I answer some common questions about privacy policy updates, offer quick and easy solutions for ensuring legal compliance and building customer trust, and walk you through ways you can successfully inform your users about the changes.

Table of Contents
  1. Why Are So Many Privacy Policies Being Updated?
  2. Why Should I Update My Privacy Policy?
  3. How Often Should I Update My Privacy Policy?
  4. Why Do You Need to Inform Users About Privacy Policy Updates?
  5. How Can You Notify Users About Privacy Policy Updates?
  6. How to Update Your Privacy Policy
  7. Privacy Policy Updates FAQs
  8. Summary

Why Are So Many Privacy Policies Being Updated?

So, why does every company keep updating their privacy policy year after year? Well, legally, they have to.

An occasional privacy policy update email typically means the company just changed its privacy procedures and needs to inform its users.

But whenever a sudden onslaught of updates and accompanying notifications occurs, it usually means a new data privacy law has entered into action.

When you think about it, this makes sense — privacy laws establish the standards for privacy policies, so one of the first steps businesses take is to update, change, or amend their agreement and notify their users.

Doing so keeps you out of trouble with new or changing laws and shows your customers that you’re a privacy-literate, trustworthy company.

Why Should I Update My Privacy Policy?

I can’t tell you how often I’ve heard this question  — so many business owners assume they can get away with making a privacy policy, publishing it online, and never looking at it again. But in reality, you should regularly update your privacy policy to ensure you don’t violate any data privacy laws.

And, to be honest, asking your customers to agree to an old, outdated document that no longer reflects your privacy practices is, frankly, dishonest.

Just put yourself in your customers’ shoes — would you buy something from a website you don’t trust? Of course not.

Updating your privacy policy shows consumers that you’re transparent about the information you collect and take their data privacy seriously.

This is especially vital for businesses because we live in a digital era. More and more people — business owners and shoppers alike — understand that their personal information gets tracked online, and they want to know where it’s ending up and what’s happening to it.

So anytime you change the functionality of your website or the way you interact with user data, I suggest you review your privacy policy and consider whether it still adequately addresses your data collection practices.

What Data Privacy Laws Require Privacy Policy Updates?

As I just mentioned, you’re legally required to update your privacy policy so it remains accurate based on how you collect, process, and use personal information from your consumers.

Nobody wants legal troubles, so I put together this convenient list of different data privacy laws that either directly or indirectly require you to update your privacy policy:

  • General Data Protection Regulation (GDPR)
  • UK GDPR
  • ePrivacy Directive (EU Cookie Law)
  • Amended California Consumer Privacy Act (CCPA)
  • California Online Privacy Protection Act (CalOPPA)
  • Virginia Consumer Data Protection Act (CDPA)
  • Personal Information Protection and Electronic Documents Act (PIPEDA)

The table below explains how each law impacts your privacy policy updates in greater detail — but I also included their legal thresholds and the penalties for violating them, so you can determine which apply to your business and learn more about their potential financial impact.

Law How it Impacts Privacy Policy Updates Legal Threshold Penalty for Violating the Law
GDPR If you collect new information from users or want to use it in ways not already established in your privacy policy, you must make updates and re-obtain consent from users. Any organization that collects, processes, or stores the personal data of individuals located in the European Union (EU) or European Economic Area (EEA).
  • Up to €10 million ($12 million) or 2% of your global annual turnover – whichever is higher.
  • Up to €20 million or 4% of the annual turnover for more serious infringements.
UK GDPR Like the EU GDPR, if you want to collect new pieces of data or use it in ways not already established in your privacy policy, you must update your agreement and re-obtain consent from users. Any organization offering goods or services to UK citizens that processes their personal data.
  • The maximum sums allowed depend on the threshold.
  • It can be £17.5 million or 4% of the global revenue, or £8.7 million or 2% of the worldwide turnover, whichever is greater.
EU Cookie Law You must update your policy with new cookies or trackers your site uses, or else you could be fined for violating this law. Any website with EU visitors that uses cookies or other tracking technology.
  • According to the text of the Directive: “Where the rights of the users and subscribers are not respected, national legislation should provide for judicial remedies. Penalties should be imposed on any person, whether governed by private or public law, who fails to comply with the national measures taken under this Directive.
CCPA/CPRA The amended CCPA explicitly states that you must update your policy at least once every 12 months. For-profit entities that do business in California and meet one of the following:

  • Earned $25 million in gross annual revenue as of January 1 from the previous calendar year
  • Annually buys, sells, or shares the personal data of 100,000 or more California consumers or households
  • Derived 50% or more gross annual revenue from selling or sharing personal information
  • Up to $2,500 per non-intentional violation.
  • Up to $7,500 per intentional violation or violations involving known minors.
CalOPPA You must include information about how you’ll update users about changes to your privacy policy. Any website with California visitors falls under the threshold of this law.
  • Up to $2,500 per violation.
Virginia CDPA You must present your users with an accurate policy reflecting your current privacy practices, or else you risk getting fined for violating this law. Entities doing business in Virginia or targeting Virginia residents who meet one of the following:

  • Controls or processes personal data from 100,000+ consumers
  • Derives 50% of gross revenue from the sale of personal data and processes information from at least 25,000 consumers
  • Up to $7,500 per violation.
PIPEDA You must follow all ten fair information principles, which includes openness about your personal data management practices. Dishonesty could lead to fines for violating this law. Any organization that collects and uses personal information in connection with commercial activities, including selling or sharing donors, membership, or fundraising lists, falls under PIPEDA.
  • Up to $100,000 per violation.

If even just one applies to your business, you’ll need to set your website up for full compliance to avoid getting fined for violating the law.

But don’t worry, I know of a company that can help simplify the whole process for you — it’s Termly (Obviously! Who did you think I’d recommend?).

As the resident Director of Global Privacy, I help our product engineers — the folks who develop our privacy policy generator and consent management platform — with the creation, management, and upkeep of our tools, all of which are designed to help you meet the legal requirements outlined by all seven of those laws (with more to come!).

How Often Should I Update My Privacy Policy?

Privacy policies are living documents that you should review and update every few months — I like to add it as a talking point to our meeting agendas practically every quarter, just to be on the safe side.

But it’s particularly important to make changes whenever you modify the types of data you collect from users or adapt how you use that information.

For proper legal compliance, you must ensure that your privacy policy is always accurate and reflects your current data collection and processing activities.

Additionally, laws like the amended CCPA require you to go through and review your privacy policy at least once a year.

On a more personal note, if I come across a privacy policy that is super old or doesn’t clearly post the ‘last updated’ date on the document, I view it as a major red flag.

Not only does this suggest that the business might not be compliant, but it also makes me wonder what else the company isn’t being transparent about.

Why Do You Need to Inform Users About Privacy Policy Updates?

Establishing some transparency with your users helps build trust, so I like to update my Termly customers about changes to our privacy policy to keep those relationships strong — I mean, wouldn’t you want to know if a website you use regularly started to collect or use information about you differently?

Of course, you should also inform users about updates you make to your privacy policy for legal compliance reasons.

It’s a best business practice (and a GDPR requirement) to incorporate privacy by design into your procedures and create an atmosphere of transparency with your customers regarding their data.

Since I already talked about the relevant data privacy laws earlier in this guide, let’s spend some time covering why updating your privacy policy is essential if you:

  • Want to build trust and help your business avoid public backlash
  • Target your goods or services to children

Build Trust and Avoid Public Backlash

Trust is not just a buzzword to me (and the rest of the Termly team). It’s a necessary part of collecting, processing and using personal data. To earn the trust of your customers, you must be honest with them about how you do all three of these things.

You also need to let them know if and when those processes change and what is explicitly different than before.

I’m not sure who needs to hear this, but your customers are not just graphs of data to use for marketing and advertising purposes — they’re just like you; they’re human beings who deserve to be treated with respect.

Respect means being transparent about what data you collect about them and explaining how and why you use that information.

You Market to Children

Does your website market to children? If so, you must follow strict, specific guidelines regarding data collection and include detailed information within your privacy policy.

If you make any changes to your processing practices, you must update your policy immediately and inform the parents or legal guardians of those minors.

For example, the Children’s Online Privacy Protection Act (COPPA) protects data collected from users under 13 in the US.

Similarly, the amended CCPA also has stricter guidelines regarding how you obtain consent and if you can sell and share the data from underage users.

How Can You Notify Users About Privacy Policy Updates?

If I’m being honest, having a process for notifying your users about your privacy policy updates is just as important as making the updates.

Update notifications are important because laws like the GDPR require you to re-obtain consent from individuals if you want to start collecting new information from them or use their data in ways not previously outlined in your agreement.

I suggest trying to notify your users about the updates you’ve made to your privacy policy by:

  • Using a banner or pop-up notice
  • Sending out an email update
  • Creating a blog or news post

I know it’s tempting, but taking shortcuts isn’t worth it, especially when it comes to privacy compliance, so I recommend implementing more than one of these methods.

Just remember to change the ‘last updated’ date and include it somewhere on your final document so it’s easy for consumers to spot.

Now let’s go over each of these notification methods in more detail.

Banner or Pop-up Notice

Letting users know you’ve updated your privacy policy using a pop-up notice or banner is very simple and effective.

It’s a good idea to implement the banner in a way that users will see it as soon as they come to your site, regardless of what page they land on.

Include a link to your new policy directly on the banner so anyone can easily read it. Explain what’s new using simple language so it’s accessible to as many different readers as possible.

Below, see an example of how the hotel Beaurivage MGM Resort inserted a banner on their site to inform users that they recently updated their privacy agreement.

Beaurivage-MGM-Resort-Banner-or-Pop-up-Notice

While I love this method, it shouldn’t be the only thing you do to inform users about your privacy policy changes.

There’s a chance not everyone will see it, especially since you probably won’t permanently leave the pop-up banner on your site. So use this method in combination with other notification solutions.

Privacy Policy Update Email

Another effective way to inform your users about privacy policy updates is by sending an email notification to them.

Remember to include a link to the complete text of the new policy and use simple language to explain what changes you’re implementing. If a legal challenge occurs, you can argue that your users were informed about the changes and had easy access to the new document.

Below, see a great example of a privacy policy update email from the clothing company Everlane detailing their privacy policy changes for the amended CCPA.

Everlane-Privacy-Policy-Update-Email

Blog or News Post

Ah, blog posts — my personal favorite method for communicating important information to the masses. I highly suggest creating one to highlight your site’s latest privacy policy changes, which doubles as an efficient way to archive older versions of your policies.

Unlike the pop-up banner solution, blog posts live on your site forever, giving your customers more time to read about the changes you’ve made to your policy.

And, if a legal dispute arises, having a proper log of the past iterations of your policy can help you prove that you’ve implemented the appropriate updates and changes following relevant data privacy laws.

Below, see an example of the blog post where the National Basketball Association (NBA) puts details about all changes they’ve made to their privacy policy.

NBA-Blog-or-News-Post-privacy-policy-updates

They continually add to this archive whenever another update occurs, which I recommend you also do.

Oh, and at the risk of sounding like a broken record, remember to link directly to the most current version of your privacy policy in your blog post.

How to Update Your Privacy Policy

In this next section, I’m going to teach you how to quickly and easily update your privacy policy in three ways:

  • Using a managed solution
  • Updating a free template
  • Writing it yourself

Managed Solution

The thing I recommend the most to business owners looking for the easiest way to make and update a privacy policy is a managed solution, like our Privacy Policy Generator.

Our generator asks you simple, relevant questions about your business’s data privacy processes and kicks out a legally compliant, thorough, and properly formatted policy for you based on your answers. No hassles, no fuss.

When it’s time to make a change, you simply pop back into the Termly dashboard anytime and make the updates directly in the builder.

It then automatically applies the changes to the published version of your privacy policy embedded on your website — super easy, right?

Below, see a sample of what our privacy policy generator looks like.

Termly-Privacy-Policy-Generator

Update Your Privacy Policy Template

I also like suggesting people try using a free privacy policy template because they are easy to update and a good starting point for businesses on a budget.

You must manually fill in blank sections of a template with information about your business, so it requires more hands-on work.

But when it’s time to make some updates, you simply go back into the document, find the necessary clauses or features, and write in the new information yourself.

Below, see a sample of our privacy policy template.

Termly-privacy-policy-template

Writing It Yourself

If you wrote your own privacy policy and it needs updating, you can just open up the original document and edit the sections that need to be changed.

But to make the process easier for you, I have a few tips and tricks:

Privacy Policy Updates FAQs

I could — and often literally do — talk about privacy policies all day, so if you still have questions about updating yours, check out answers to some frequently asked questions on the topic below.

How often do I need to update my privacy policy?

You must update your privacy policy whenever your data privacy practices or procedures change. Under laws like the CCPA, you must update it once every 12 months.

How do I notify users of privacy policy updates?

You can quickly notify users about your privacy policy updates by putting a ‘last updated’ date on your policy, sending out a blast email, publishing a blog post, and using a pop-up or website banner to inform people about the changes.

Why are all the privacy policies changing?

Privacy policies change when companies implement new privacy protocols or in an effort to abide by legal obligations.

For example, the CCPA requires all entities to update their privacy policy once every 12 months.

Why did so many privacy policies update in 2018?

In 2018, the GDPR entered into force, and many businesses updated their privacy policies to meet the requirements outlined by the regulation.

Despite passing into law in 2018, the GDPR didn’t come into action until 2020, the same year the CCPA was implemented, so another wave of privacy policy updates occurred that year.

Summary

Hey, you’ve reached the end of the guide! You’re now equipped with all the knowledge you need to properly update your privacy policy so it continues to meet relevant legal obligations and keeps your consumers accurately informed. That’s great!

Want to take the mess out of privacy compliance? Use our Privacy Policy Generator to seamlessly integrate all of your future updates and keep lines of communication open with your customers.

Masha Komnenic CIPP/E, CIPM, CIPT, FIP
More about the author

Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author
Masha Komnenic CIPP/E, CIPM, CIPT, FIP

reviewed by Masha Komnenic CIPP/E, CIPM, CIPT, FIP Director of Global Privacy

Related Articles

Explore more resources