Unfortunately, the days of putting a Privacy Policy on your website and never looking at it again are long gone. The truth is that Privacy Policies are changing at an increasingly fast pace and, if you are not keeping up with that pace, you could be putting your business at risk of privacy-related fines and lawsuits. Thus, it is more important than ever to have a strategy to keep your Privacy Policy up to date and accurately communicate changes to consumers. However, even if you have such a strategy in place by, for example, using Termageddon’s auto-updating Privacy Policy generator, you may still be wondering how to handle Privacy Policy updates. In this article, we will discuss when you may need to update your Privacy Policy, whether you need to notify individuals visiting your website of such updates, and if you need obtain consent for certain changes.
Table of Contents
When do you need to update your Privacy Policy?
The first consideration of how to handle Privacy Policy updates is knowing when you need to update your Privacy Policy. Companies usually update their Privacy Policies for the following reasons:
- The bring their Privacy Policy in compliance with the privacy laws that apply to them. If the creator of your Privacy Policy did not base the disclosures contained therein upon the privacy laws that apply to you, it is most likely not compliant and could put you at risk of fines and even lawsuits. As privacy laws become increasingly enforced, companies are updating their Privacy Policy to become compliant;
- To meet the disclosure requirements of changing privacy laws. As technologies impacting privacy and consumer requirements change, so do existing privacy laws and the disclosures that they require to be included in a Privacy Policy. Companies need to update their Privacy Policies to include those new disclosures;
- To meet the disclosure requirements of new privacy laws. With over a dozen privacy bills proposed in the United States, and countries such as Canada proposing new bills as well, new privacy laws are being passed at an increasing rate. As new laws are passed, companies need to update their Privacy Policies to include the new disclosures required by such laws; and
- To accurately reflect changing privacy practices. A Privacy Policy needs to accurately reflect a company’s privacy practices. As privacy practices change, Privacy Policies need to be updated as well.
If any of the above happens and a Privacy Policy needs to be updated, companies will either engage an attorney, use the services of a generator such as Termageddon or will ask a staff member to make updates. Regardless of how you are updating your Privacy Policy, you may need to notify the visitors of your website and your customers that a change has been made.
Notifying customers of changes to Privacy Policies
The first answer to how to handle Privacy Policy updates is to follow your Privacy Policy. Privacy laws such as the California Online Privacy and Protection Act of 2003 (CalOPPA), Delaware Online Privacy and Protection Act (DOPPA), Nevada Revised Statutes Chapter 603A, and Australia Privacy Act 1988, if they apply to you, will require your Privacy Policy to disclose how you will notify consumers of changes to your Privacy Policy. Thus, you should read your Privacy Policy, find this disclosure and follow your promise to consumers. If your Privacy Policy states that you will post the updated Privacy Policy to your website, then you must do so. In addition, if your Privacy Policy states that you will email the consumers on your list, then you must send an email to such list informing them of the changes that you have made.
How to handle Privacy Policy updates: notifying your website’s visitors
As more consumers are checking whether websites have a Privacy Policy and the privacy practices discussed in such policies, the next consideration in how to handle Privacy Policy updates is notifying the visitors of your website of such updates. Multiple privacy laws such as CalOPPA, DOPPA, and Nevada Revised Statutes Chapter 603A require Privacy Policies to disclose their effective date or last updated date. If your Privacy Policy does include this disclosure, website visitors can look at the date and quickly see that there has been an update. This disclosure essentially puts the visitor on notice that they should look for changes and is an easy and efficient way to communicate that a change has been made. If you used the Termageddon Privacy Policy generator, your Privacy Policy already includes this disclosure and the date is automatically updated each time you make a change to your Privacy Policy.
Obtaining consent to Privacy Policy changes
The final consideration in how to handle Privacy Policy updates is whether you need to obtain consent from consumers for updates to your Privacy Policy. While obtaining consent can be in the form of an email, it is more than sending an email informing a consumer of changes. To obtain consent, you will not only need to inform the individual of the change, but will also need to obtain their express approval of that change by, for example, having them click on a button to agree to your updated Privacy Policy.
You may need to obtain consent if you are processing Personally Identifiable Information (PII) under the consent legal basis of the General Data Protection Regulation (GDPR), and the United Kingdom Data Protection Act 2018 (UK DPA 2018). In addition, you may also need to obtain express consent under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) if any of the following circumstances are present:
- The PII that you collect, use or disclose is sensitive;
- The collection, use or disclosure of the PII is outside of the reasonable expectations of the individual; or
- The collection, use or disclosure of the PII creates a meaningful residual risk of significant harm to the individual.
If the above applies to you, you will need to obtain express consent to certain changes of your Privacy Policy. You can obtain consent by emailing your list and asking recipients to agree to your updated Privacy Policy or by creating a notice and button on your website that asks individuals to agree to your updated Privacy Policy.
Whichever notification method you choose, it is always important to remember that you should make an effort to notify consumers of changes to your privacy practices, especially when those practices change.
