Best Practices for Material Updates to Your Privacy Policy

Keeping your Privacy Policy up to date is critical.

From time to time, your data practices may change to keep up with amendments to existing laws or bring your company into compliance with new ones. Additionally, you might change the types of data you collect or the way that you process it.

However, it isn't enough to simply make updates to your Privacy Policy and move on. You must let your users know that you've made changes once you've made them.

Remember that if you update your Privacy Policy but don't tell your website's users that you've done so, you could fall out of compliance with various laws, and it becomes a high possibility that you'll undermine the trust of your website's users.

In the article below, we'll go over the best practices for making updates to your Privacy Policy so that you can stay compliant and remain within the good graces of your customers.

When Should You Update Your Privacy Policy?

You should consider your Privacy Policy to be a living document. It isn't a bunch of text you write once and then never give a second glance. Instead, it's a good practice to review it regularly.

The reason for regular reviews is to ensure that the information it contains is actually accurate and current with your own data practices as well as with all laws and regulations.

For example, suppose your business starts accepting payments through a new or different financial services company, changes how users can log in to your website, or begins collecting email addresses in exchange for a new free download. You must reflect changes such as these in an updated Privacy Policy.

In the image below, your Privacy Policy would need to be updated to add or remove any reasons why a street address would be requested by the company:

It's essential to keep in mind that you should keep records of each iteration of your Privacy Policy. Thus, you should make copies of old Privacy Policies and store them safely after you've replaced them with a new version.

Why Update Your Privacy Policy

One of the reasons you should keep your Privacy Policy up to date is to stay compliant with various laws and regulations, as mentioned above.

For instance, suppose you do business in California. In that case, you'd be subject to the California Consumer Privacy Act (CCPA), which requires companies to update their Privacy Policies every year and to notify consumers of those updates.

Moreover, it's possible that you might be required by federal law to notify your website's users of updates depending on the nature of your policy's changes and what kind of information your company collects.

In addition, being transparent is vital since, according to the Federal Trade Commission Act, you are prohibited from unfair and deceptive business practices...and you don't want your customers accusing your business of hiding Privacy Policy updates from them.

Below is an example of how Wix notified its customers through email that the Privacy Policy had been updated, which keeps with the requirements of the CCPA:

Meeting User Expectations

In addition to staying compliant with the law, you'll also want to make sure that you're meeting the overall expectations of your customers. People want to have confidence in those with whom they do business.

Customers need to know that they can trust you with the safety of their private, perhaps sensitive information when they access your apps and websites. Remember that in today's world, your commitment to transparency and trustworthiness is something many consumers take a hard look at before doing business with you.

Many consumers are completely aware of the privacy laws in their region, and thus, Privacy Policies on company websites are a feature that most expect to see. They also expect notifications whenever you make changes.

Here's an example of a polite, informative notice of Privacy Policy changes that can be sent to customers as part of efforts in transparency:

Avoiding Disputes

In most regions, customers have the ability to take you to court if you don't follow your own Privacy Policy.

For instance, say your policy says something similar to Wix's, where you mention that your goal is to "always be transparent and maintain your trust," but then you made changes to your policy and didn't send out notifications about them.

That might seem like a small error, but you could be sued for it.

Being prompt with both updates and notifications prevents others from claiming that your changes aren't what they agreed to or that they were never informed of changes to your Privacy Policy at all.

Moreover, a notice is respectful of your customers because it gives them the opportunity to opt-out of your data collection or to close their account with you altogether if they disagree with the changes you've made.

Protecting Kids Under 13

You absolutely must send a notification to your customers of all updates to your Privacy Policy if your app or website targets kids under the age of 13, or even if it might appeal to children in that age group.

The Children's Online Privacy Protection Act (COPPA) demands that you both obtain the consent of parents or guardians and send a notification if you change anything in terms of the data you collect or the way that data is processed.

Here's an example of how you can present a notice of updated terms and Privacy Policy information:

Our Top Best Practices

Now that we've covered the reasoning behind the need for up-to-date Privacy Policies and notices let's discuss how to ensure that both meet the highest quality standards.

Use Clear Language

Your Privacy Policy, as well as update notifications, should always be written in clear, uncomplicated language. A good approach is to ensure the language can be understood by anyone with a sixth-grade reading level.

In order to meet the requirements of laws like Europe's General Data Protection Regulation (GDPR) or the CCPA, your Privacy Policy must be:

• Easily accessible, intelligible, concise, and transparent
• Written in plain, clear language (especially if addressed to a child)
• Free to access

The UK's Information Commissioner's Office puts it this way:

"Being transparent by providing a privacy notice is an important part of fair processing. You can't be fair if you are not being honest and open about who you are and what you are going to do with the personal data you collect."

Here's an excerpt of a Privacy Policy that demonstrates how to use clear, simple language and easy-to-read formatting like lists to make your Privacy Policy easy to understand:

It's interesting to note that many developers and academics have decried the overly burdensome legalese that has been the hallmark of most legal documents, such as Privacy Policies and Terms of Service Agreements, for years.

Due to the need to make these documents clear and understandable to the majority of people who read them, some individuals within groups such as Mozilla have worked on developing standard iconography, which could be used to denote different levels of data use or privacy.

Combined with short bits of basic text, these icons could be used to further streamline and clarify Privacy Policies everywhere. However, most of these concepts have not moved outside the academic world and into the commercial yet.

Businesses may still wish to keep an eye on these types of proposals, though, because, as we all know, the trend to simplify, simplify, simplify may continue on past what's required now.

Always Provide Notice

There are three ways you can do this with relative ease:

1. Use a pop-up notice on your website, which announces the update, and that requests consent to all changes
2. Ensure your Privacy Policy contains an update clause
3. Send an email out to your customers that announces the changes made to your Privacy Policy, like the example above from Wix

Below we'll discuss each of these methods a bit more in-depth.

Use a Pop-Up Notice

The first method of letting your customers know you've made changes to your Privacy Policy is through the use of a pop-up notice on your website. The mechanism may be similar to that used in a cookie consent notice.

To do this, simply:

• Include a statement which notes that your Privacy Policy has been updated
• Use a mechanism to gain consent, such as clickwrap (where the user must actively click "Agree" or "Accept" to confirm they've given consent) and ensure that it appears at the point of data collection. Note: Remember that browsewrap agreements are no longer acceptable when it comes to gaining consent from users
• Provide a link to the new Privacy Policy so users can easily navigate to and read it

Here's an example of a simple pop-up notice from WhatsApp:

Include an Update Clause in Your Privacy Policy

By including an update clause in your Privacy Policy, you can help prevent the need to obtain new consent each and every time you update it.

Some businesses choose to write a dedicated clause and place it near the end of the policy due to the fact that it can sometimes get buried with other information if placed in the preamble.

For instance, MeWe places its update clause at the end of its Privacy Policy:

Notice that MeWe explicitly states that if any changes are made to its Privacy Policy, it will provide users with the ability to opt-out of its service and that users can delete their accounts.

It's important for companies to be as open and forthcoming as possible in their Privacy Policies, and MeWe's is a good example of that sort of transparency.

Update Users Through Email

Another effective method for sharing notifications about updates to your Privacy Policy is through the use of email. In fact, if you want to be thorough, an email ought to be your "go-to" method, with the other two as backups.

An email arrives directly in your customers' inboxes, where they are most likely to see any notifications that you put out. Remember, while a user may visit your site every once in a while, most people visit their email every day.

An effective email notification for Privacy Policy updates includes the following four things:

• The date your new Privacy Policy goes into effect
• A link to your new Privacy Policy
• A list of the most important changes made to your Privacy Policy
• What actions users can take if they don't agree to the changes

Here's how Reddit presented this information in an email notice:

Another example comes from Change.org, where you can see how the company makes sure website visitors know that changes have been made to the Privacy Policy to stay in line with European law (the GDPR):

And here's one more example:

Summary

Your Privacy Policy is a living document. You will likely revise it at least once per year to stay compliant with major privacy legislation worldwide. Keep in mind the following:

• The language you use in your Privacy Policy and notifications must be clear and easy to understand and shouldn't be burdened with difficult-to-read legal jargon.
• Your Privacy Policy must reflect how your business currently handles data. Additionally, you need to detail specifics, such as how you collect, use, store, share, and protect consumers' personal information.
• Whenever you update your Privacy Policy, you must ensure that you notify your customers promptly. Notification may be conducted in several different ways, such as through a pop-up notification on your website (which can double as a means of gaining consent), through a dedicated clause within the Privacy Policy itself, or via email.