If you are reading this blog, you probably already know that we are passionate about website policies. If you already have a Privacy Policy or are considering getting one for your website, you also probably know that businesses that collect Personally Identifiable Information (PII) may be required to have a Privacy Policy by multiple privacy laws. In fact, most businesses have a Privacy Policy to comply with privacy laws as non-compliance can lead to heavy fines (starting at $2,500 per website visitor) or even lawsuits. In this article, we will discuss who needs a Privacy Policy, the main guidelines for Privacy Policies and several examples of website Privacy Policy fines so that you can learn about these compliance obligations.
Table of Contents
Who needs to have a Privacy Policy?
Generally, your website will need a Privacy Policy if it is collecting Personally Identifiable Information (PII). PII is defined as “any information that could identify a specific person or any information relating to a specific person.” Examples of PII commonly collected by websites include:
- Name;
- Email;
- Phone number;
- Physical address;
- IP address.
Websites commonly collect PII through the following features:
- Contact forms;
- Email newsletter subscription forms;
- eCommerce;
- Account creation forms;
- Analytics features;
- Advertising features.
The collection of PII by websites is regulated under a number of privacy laws that require websites to have a Privacy Policy that include the disclosures specified in those laws. It is important to note that privacy laws protect individuals, not businesses and have a very broad application, meaning that you may be subject to laws outside of your state or country. In addition, while some laws apply only to large businesses, other laws will apply to small businesses as well, regardless of revenue amount, employee size or amount of PII collected. Lastly, while some privacy laws exempt nonprofits, others do not and thus apply to for profit businesses and nonprofits as well. To determine which privacy laws apply to you, you should ask yourself the following:
- Whose PII are you collecting through your website?
- Who do you track through cookies, pixels, analytics, or advertisements?
- Where do you do business?
- To whom do you offer goods or services?
If you are unsure as to which privacy laws apply to you, Termageddon’s policy generator questionnaire will help you determine this during the Privacy Law Identifier stage.
Privacy Policy guidelines
While many assume that a Privacy Policy contains random, boilerplate text, this is simply not the case as there are specific guidelines that must be followed to ensure that your Privacy Policy complies with applicable laws and thus helps you avoid fines and lawsuits. These guidelines are as follows:
- Your Privacy Policy must include all of the disclosures enumerated in the privacy laws that apply to you:
- Your Privacy Policy must accurately reflect your actual business and privacy practices;
- Your Privacy Policy must be easy to read and must not be misleading;
- Your Privacy Policy must be up to date with changes in existing laws and the requirements of new privacy laws.
It is important to keep these guidelines in mind when reviewing the examples of website Privacy Policy fines discussed below.
Privacy Policy fines example 1: Sephora
In the first example of Privacy Policy fines, Sephora agreed to a settlement of $1.2 million for violations of the California Consumer Privacy Act (recently amended to the California Privacy Rights Act). The settlement stemmed from allegations that the company violated the CCPA by:
- Failing to disclose to consumers, in its Privacy Policy, that Sephora sold their personal information; and
- Failing to process consumer requests to opt out of the sale of their personal information.
In addition to paying the $1.2 million fine, the company was also required to clarify its online disclosures and Privacy Policy to include a statement that it sells personal information.
Privacy Policy fines example 2: Uber
In the second example, Uber was fined €10 million for violations of the General Data Protection Regulation (GDPR). The violations stemmed from the company failing to meet the transparency requirements of GDPR through the following:
- Failing to provide information, in its Privacy Policy, of how long it retains PII;
- Failing to provide sufficient information, in its Privacy Policy, as to where it transfers PII; and
- Making it unnecessarily difficult for individuals to exercise their privacy rights.
Privacy Policy fines example 3: Black Tiger Belgium
In the third example, the data management company Black Tiger Belgium was fined €174,640 for various violations of GDPR, including violations of the law’s requirement to provide adequate information about the processing of PII to individuals. Specifically, the company failed to inform individuals that the company was processing their PII and failed to inform them, in its Privacy Policy, that they have the right to opt out of such processing.
Privacy Policy fines example 4: Google
In this example of Privacy Policy fines, Google was fined €57 million for multiple GDPR violations, including violations of the transparency requirement. Specifically, the Data Protection Authority alleged that Google violated GDPR by making it difficult for individuals to understand what Google does with their PII. Google failed to explain, in its Privacy Policy, that the PII would be used for the personalization of advertisements, failed to explain that PII would be combined across various Google products, and lacked a valid legal basis for the processing of PII as required by GDPR.
Privacy Policy fines example 5: Canal+ Group
In the fifth example, the company Canal+ Group was fined €600,000 for various GDPR violations. A part of the fine was based on the company failing to meet the transparency requirements of GDPR. Specifically, the company failed to inform individuals, in its Privacy Policy, how long it retains PII and the categories of third parties with whom PII is shared.
Privacy Policy fines example 6: WhatsApp
In our final example, WhatsApp was fined €225 million for GDPR violations concerning the requirement to provide adequate information to individuals regarding the processing of their personal information. The Data Protection Authority found that WhatsApp failed to provide adequate information, in its Privacy Policy, regarding the legal basis of processing PII and failed to provide adequate information regarding the sharing and processing of PII by other Meta companies.
It is important to note that there are multiple other examples of website Privacy Policy fines that stem from the following:
- Failure to have a Privacy Policy;
- Failure to include all of the required disclosures in the Privacy Policy; and
- Failure to provide a Privacy Policy that accurately reflects the privacy practices of the business;
- Failure to keep the Privacy Policy up to date with legislative changes.
As you can see from the above, having a comprehensive and up to date Privacy Policy is a large part of compliance measures that can help you avoid privacy-related fines and lawsuits. In addition, companies have also been fined for failure to have a proper cookie consent banner. If you do not currently have a comprehensive Privacy Policy for a website or do not have a strategy to keep it up to date with changing requirements, make sure to check out the Termageddon Privacy Policy generator.
