Why Your Privacy Policy Needs to Mirror Your Privacy Practices

Why Your Privacy Policy Needs to Mirror Your Privacy Practices

Customers buy from businesses that they know, like, and trust. It's a cliche in today's world because that statement's been so often repeated. However, it's been reiterated over and again because it's simply true.

How many times have you seen the mission statements or "values declarations" of other businesses where they seem to put the words "honesty, trust, and transparency" in flashing neon lights? At the very same time, how many times have you seen businesses operate in a fashion that puts the lie to their public-facing words?

Why do you think that is?

Well, according to an EY global fraud survey discussed on Entrepreneur, it's because business owners and executives think they can get away with bad behavior.

This same attitude is displayed by business owners all too frequently when it comes to a company's Privacy Policy.

Many times, privacy practices don't align with what's written in a company's Privacy Policy. And this can lead to trouble.

Google found out just how important it is for privacy practices to mirror a Privacy Policy when a Pixel phone owner filed a class-action lawsuit claiming that the tech giant for violating the California Consumer Privacy Act (CCPA). Robert McCoy, the plaintiff, filed the suit on August 8th, 2020, and we'll talk about the fallout Google now faces in a moment.

First, just think about whether your Privacy Policy reflects your business's actual privacy practices. It doesn't pay to write one thing in your Privacy Policy, but then fail to follow your own policy. In fact, it can cost you much in legal fees, fines and a damaged reputation.

Holding any of the following views could cause your business a world of hurt:

  • It doesn't matter whether my business's privacy practices mirror my Privacy Policy because no one reads the Privacy Policy anyway
  • I won't get caught
  • I can justify non-compliance with the rationale that maybe I can improve profits if I ignore my Privacy Policy's contents

The Dangers of Not Following Your Own Privacy Policy

The Dangers of Not Following Your Own Privacy Policy

If you don't have a Privacy Policy, you need to stop reading this right now and get one written and placed in a prominent place on your business website where everyone can see it. (A traditional location for this is in your website's footer section.)

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your website. Just follow these steps:

  1. Click on the "Privacy Policy Generator" button.
  2. At Step 1, select the Website option and click "Next step":
  3. TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  4. Answer the questions about your website and click "Next step" when finished:
  5. TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  6. Answer the questions about your business practices and click "Next step" when finished:
  7. TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  8. Enter your email address where you'd like your policy sent, select translation versions and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.

With that said, if you do have a Privacy Policy, then you need to understand that ignoring it and doing whatever you want can cause serious problems to come crashing down on you and your business. Some of these issues could include accusations of unfair or deceptive trade practices.

There are a host of state privacy and data protection laws as well as regulations enforced by the Federal Trade Commission (FTC) and the Federal Communications Commission (FCC) that could land you in hot water.

Google messed up and got itself into a difficult situation by ignoring privacy provisions in the CCPA. Again, we'll talk about that in a minute. The point is that there are many laws now in effect designed to protect the consumer.

Even if you have a Privacy Policy (remember Google also has a Privacy Policy), it's not going to safeguard you if it's discovered that you don't abide by its terms.

Allow us to take you on a trip down memory lane.

In recent years, both the FTC and the FCC not long ago moved against businesses that violated privacy regulations, which resulted in substantial settlement terms. With regard to the FCC case, businesses that violated their own Privacy Policies received multi-million dollar fines.

Just some of the companies that have felt the long arm of the FTC due to unfair or deceptive trade practices, and for allegedly making misleading statements in Privacy Policies, include Fandango, Credit Karma, GMR Transcription Services, and Snapchat:

"According to the FTC's complaint, Snapchat made multiple misrepresentations to consumers about its product that stood in stark contrast to how the app actually worked.

"If a company markets privacy and security as key selling points in pitching its service to consumers, it is critical that it keep those promises," said FTC Chairwoman Edith Ramirez. "Any company that makes misrepresentations to consumers about its privacy and security practices risks FTC action.""

Business owners should note that in order to get an FTC action resolved, they usually need to sign a consent order. That order would then require them to:

  • Set up extensive security programs with the intention of addressing security risks during the development of applications, products, or programs
  • Go through independent security assessments, which take place every other year for a period of twenty years
  • Ensure there are no more misrepresentations concerning security or privacy
  • Understand that the company will be found in contempt of court if an assessment finds that the business owner has failed to comply with all terms of the consent order at any time over the course of the next twenty years

Examples of companies that ostensibly failed to safeguard personal data (one case involved over 305,000 consumers) and that faced huge fines from the FCC include TerraCom and YourTel. Back in 2014, these companies argued that they indeed had measures in place to guard customer data, and they had published Privacy Policies regarding those measures.

However, the FCC apparently discovered that for over a year these organizations had stored customer data in a way that would allow anyone to access and view it by using the internet.

Google and the CCPA

Google and the CCPA

All the troubles businesses faced, which we've mentioned so far, were due to violations of older privacy laws.

However, ever since 2016, when Europe's comprehensive General Data Protection Regulation (GDPR) was passed, countries worldwide, including the USA, began passing increasingly harsh legislation. Lawmakers started focusing on establishing and enforcing broad privacy and security protections for consumers.

Many companies have argued that adherence to these new regulations could hurt profits and in some cases, might force them to stop doing business altogether in certain regions.

In the USA, the most exhaustive law in this regard is California's Consumer Privacy Act (CCPA), which we mentioned Google has now been accused of violating.

Many consumers and lawmakers had already started to take a hard look at Google due to supposed transgressions against user privacy, especially when it came to their maps and search services.

However, the new class-action lawsuit focuses on the alleged use of Google's "lockbox" program by Google employees to spy on Android users.

According to the plaintiff, Robert McCoy, the spying motive was to give Google an edge over apps like TikTok, which was developed by ByteDance Ltd., one of Google's competitors.

The thing to focus on here is that Google may have breached the CCPA by failing to disclose in its Privacy Policy that it was monitoring and using Android users' data.

Ensure Your Privacy Policy is Up-to-Date

Ensure Your Privacy Policy is Up-to-Date

Since honesty and transparency are paramount in today's business climate, business owners must ensure that their privacy practices are up-to-date and match what's written in their Privacy Policies.

To stay compliant with the most sweeping data protection and privacy laws, you need to make sure that not only is your Privacy Policy current, but that your customers are aware of that fact.

All of the above is easier than you may believe. There is no reason that any company should compromise compliance with laws such as the ones mentioned here.

Make it a point to check the date on your Privacy Policy. If it's more than a year old, you need to make an effort to tune it up. In fact, if you make changes to any privacy practice whatsoever, at any point, you should update your Privacy Policy.

Make sure to go over the clauses in your Privacy Policy to ensure that you comply with major legislation.

In particular, go over issues such as:

  • What private, sensitive data does your business gather?
  • How does your company use the private information it collects?
  • What security measures have you implemented to protect users' private data?
  • How long do you keep private information once you've collected it?
  • Where is a user's private information stored?
  • Do you sell user data? If so, to whom?
  • Do you share user data? If so, with whom?
  • Do you give access to user data to any third parties? If so, why?
  • Does your website use cookies?
  • Do you collect geolocation information?
  • Do you let users know how they can correct information if they believe it is inaccurate?
  • Do you let users know how they can have their information deleted entirely?

Once you've done that, add in an "effective from" date at the top of your Privacy Policy.

It can go a long way to reassure your customers that you are making a real effort to keep their privacy and data protection needs in mind. See the following screenshot from Barnes & Noble's Privacy Policy for reference:

Barnes and Noble Privacy Policy with Effective Date highlighted

This lets your users and the authorities know that you are vigilant with updating your Privacy Policy, or at least that it has been reviewed recently.

Learning From the Past, Looking to the Future

Over the years, there have been many examples of businesses that won on a temporary basis by gaming the system. They covered their tracks with legal documents and believed that no one would look behind the curtain to see if their business practices matched their public statements.

However, winning streaks like these have almost always been short-lived, with the downfall of giants like Enron used as cautionary tales. In case you aren't familiar with the case, Enron was once considered one of America's leading and most innovative companies. Its CEO had relationships with individuals in the highest of the United States' social circles.

Yet all of that came crashing down, and Enron's CEO was publicly disgraced when it was discovered that the company's success was built on a web of lies. The company's leaders' business practices in no way mirrored the information they provided to regulators or their customers.

When Enron fell, its crash affected thousands of people. The company's shares went from an all-time high of $90.75 to a pathetic $0.26 when it went bankrupt.

Don't let that be you or your business. Err on the side of caution and openness. In 2020, you must do what it takes to be seen as an organization that prizes honesty, integrity and transparency above all.

In a world of dishonest business practices and people who are willing to do whatever it takes to get ahead, making sure your Privacy Policy mirrors your privacy practices is a step toward demonstrating that you hold your business to a higher ethical standard.

William B.

William B.

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.