Here at Termageddon, we like to frequently remind people that it’s not just about getting a Privacy Policy, but having a strategy in place to make sure your website policies stay up to date as privacy laws change or are added.
After all, it happens more than you might think.
At the time of this article, we’re tracking several privacy bills that are in the works in the United States alone, and new privacy laws go into effect every year – most requiring your website to update its disclosures on its website policies. The United Kingdom and Australia are also considering updating their privacy laws as well.
So, the question becomes: How do I know if I need to update my Privacy Policy?
Short answer: You hire an attorney or use an attorney-founded Privacy Policy generator like Termageddon.
That being said, we also wanted to offer up some actionable steps a website owner can take to see if their policies are potentially outdated – without spending money. So we’ve gathered five very common signs we see that indicate a person’s Privacy Policy may be out of date.
*note: this list isn’t all-encompassing; just designed to be a starting point for those curious as to whether or not it’s time to update their website’s policies. Seeing one of these signs on your own Privacy Policy page also doesn’t mean for certain that your website is no longer compliant (but it probably is).
Table of Contents
Sign 1: Your Privacy Policy has not been updated in years
Example: “This policy was last updated on 24th of May, 2018”
Privacy laws are anything but static. Online privacy is a big topic these days and therefore lawmakers globally are regularly looking to create or improve their privacy laws.
Considering most privacy laws don’t care about where your business is located, just about where your website visitors are located, it can mean any one website could be required to comply with privacy laws in multiple states and even countries. Given the global scale of these laws, it’s safe to say the landscape isn’t exactly set in stone.
So why is our example above a sign that a Privacy Policy is out of date? Since May 2018, here are some major privacy law changes that have gone into effect:
- United Kingdom left the European Union, separating from EU GDPR to UK DPA 2018 (aka UK GDPR)
- Nevada Revised Statutes Chapter 603A was updated with newly required Privacy Policy disclosures;
- California Privacy Protection Act went into effect
- California Privacy Rights Act went into effect
- Virginia Consumer Data Protection Act went into effect
- Colorado Privacy Act went into effect
- Utah Consumer Privacy Act went into effect
- Delaware Online Privacy and Protection Act went into effect
- Connecticut SB6 went into effect
- Quebec Law 25 went into effect
Sign 2: Privacy Shield used for data transfers
Example: “Company complies with the EU-US Privacy Shield Framework to transfer personal information from the European Union to the United States.”
Why is this out of date?
The Privacy Shield Framework was invalidated in 2020 by the Schrems II decision. At this time, the Privacy Shield Framework could no longer be used to transfer data from the European Union to the United States.
Sign 3: Your Privacy Policy does not disclose the categories of third parties with whom you share personal information
Example: “If you ask to be added to our email list, your name will be added to our email marketing list.” or “We will share your personal information with outside parties with your consent.”
Why is this out of date?
The following privacy laws require you to disclose the specific categories of third parties with whom you share personal information:
- California Online Privacy and Protection Act of 2003 (CalOPPA);
- California Privacy Rights Act (CPRA);
- Nevada Revised Statutes Chapter 603A;
- Delaware Online Privacy and Protection Act (DOPPA);
- Virginia Consumer Data Protection Act (VCDPA);
- Colorado Privacy Act;
- Utah Consumer Privacy Act (UCPA);
- Connecticut SB6;
- Iowa SF262 (effective January 1, 2025);
- Indiana SB5 (effective July 1, 2026);
- Tennessee Information Protection Act (TIPA – effective July 1, 2025);
- Montana Consumer Data Privacy Act (MCDPA – effective October 1, 2024);
- Texas Data Privacy and Security Act (TDPSA – effective July 1, 2024);
- Oregon Consumer Privacy Act (effective July 1, 2024);
- Delaware Personal Data Privacy Act (DPDPA – effective January 1, 2025);
- NJ SB332 (effective January 16, 2025);
- General Data Protection Regulation (GDPR);
- United Kingdom Data Protection Act (UK DPA);
- Personal Information Protection and Electronic Documents Act (PIPEDA);
- Quebec Law 25;
- Australia Privacy Act of 1988.
The example above does not actually state the fact that you share emails with email marketing vendors (e.g. MailChimp or ConstantContact). If you need to comply with any of the above privacy laws and your Privacy Policy does not list the categories of third parties with whom you share personal information with, then it is out of date and not compliant with the above laws.
Sign 4: Storing data indefinitely
Example: “If you leave a comment or submit your information via our contact us form, your information will be retained indefinitely.”
Why is this out of date?
Multiple privacy laws, including GDPR and UK DPA 2018 prohibit companies from storing personal information longer than it is actually needed. Companies that need to comply with these privacy laws need to disclose, in their Privacy Policy, either a specific time period for which data will be kept (e.g. 2 years) or provide a description of how that time period will be determined (e.g. we will keep your information until you are no longer a customer.)
If a website’s Privacy Policy still says that it will keep data indefinitely, then chances are that the Privacy Policy was not updated for these laws.
Sign 5: Combining the European Union and the United Kingdom
Example: “Residents of the European Union (including the United Kingdom) have the following privacy rights…”
Why is this out of date?
The United Kingdom left the European Union in 2020 so combining the EU and the UK is not appropriate anymore.
Next Steps
Alright, so you’ve gone to your Privacy Policy and searched for these signs and have found one or more. What now?
A privacy attorney will always be your best bet, but as you might imagine this is an expensive option.
Fortunately, Termageddon is a Privacy Policy generator that was founded by a privacy attorney and not only help you create a Privacy Policy for your website but will also automatically update your policies (via an embed code) whenever a new privacy laws is passed or an existing privacy law is amended, requiring changes in website policy disclosures.
That means you never have to read blogs about Privacy Policies ever again!