I was probably the most annoying kid on the planet – literally always asking “why” and “how”. To the general dismay of everyone around me, I wanted to know how everything worked, from electricity to bees. How do you explain to a child what is inside of a bee in less than five minutes? No idea. Here at Termageddon, we are very fortunate to have clients who are interested in the “how” of our product, namely how we make sure that your policies are up to date with changing legislation. And that is a question that I can answer. So grab your bee keepers’ suit and let’s go!
Table of Contents
First, why even update policies?
It would make our jobs much easier if every country and state agreed on privacy laws and settled with one, rarely changing law. But, people don’t work that way.
Currently, we’re tracking around 30 privacy bills at any given time. Some of these are signed into law, some are forgotten about and left to collect dust. It’s our job to keep an eye on them and, if passed, update our customers’ policies accordingly. Six new privacy laws went into effect in 2023 with another three going into effect for 2024. Each of these laws require changes to website policies for businesses who meet the criteria for these laws. Which, by the way, each laws has different criteria to make things even more fun.
So, it’s important to always make sure that you don’t just have policies for your website, but also a plan in place to ensure they keep up with ever-changing laws.
Gathering information: new laws and cases
So how do we keep track of all of that information to make sure that nothing is missed? First, I have set up alerts on the relevant terms in Lexis Nexis (it’s kind of like Google Alerts but for lawyers). Every time there is a new bill being proposed, a new law being adopted or a case that contains any of the search terms, I get an email. Below is a picture illustrating some of those alerts and an email that I received with the relevant case law.
Obviously, just like Google, not all search results are relevant so I have to sift through the alerts to make sure that I am considering only relevant information. As any good research assistant knows, all of your information should not come from just one place. That is why I am on the American Bar Association’s E-privacy Committee and on the Cybersecurity Legal Task Force. Lastly, as I am a Certified Information Privacy Professional, I get access to the International Association of Privacy Professionals’ resources. For example, the IAPP provides a privacy law comparison table (see below) that provides helpful information about all privacy bills that are being considered or have become law in the United States.
The IAPP is an absolute wealth of information and also provides a list of all GDPR enforcement actions, which can be found here. I often perform Google searches and searches of Data Protection Authority websites for new GDPR-related decisions. Lastly, I also keep up to date with the laws that govern Terms and Conditions and our other policies in the same ways.
Gathering information: government guidance
While it is important to keep track of new bills, laws and cases, it is also important to follow government guidance and interpretations as well. Government agencies provide invaluable advice as they will often tell you what will be enforced and how. I am a frequent visitor to the Federal Trade Commission’s blog as the FTC ensures that businesses take consumers’ privacy seriously and do not injure consumers with deceptive claims. For example, do you know why Termageddon’s Terms and Conditions do not ask you whether you want to prohibit your customers from leaving bad reviews on your business? We don’t include this option because doing so violates the Consumer Review Fairness Act, which can get you in big trouble. See below for a snapshot of one of the FTC’s blog posts about this topic. The whole post can be found here. Quick note: their blog is the most wholesome and funny writing I’ve ever had the pleasure to read.
You can often find me lurking on other government websites such as the states’ Attorney Generals’ websites, the Information Commissioners’ Office website and Data Protection Authority websites.
Gathering information: articles and opinions
Lastly, I keep up to date with opinion pieces and articles that discuss privacy and technology, industry takes on privacy and information on what the general public thinks of the privacy protections in place today. This would include websites such as Techcrunch, The Verge, Electronic Frontier Foundation, IAPP and news websites. Knowing the general feel of the industry and the public on privacy and technology helps me understand trends in enforcement and legislative action and allows me to understand and reflect on where our industry is going in the future.
Updating your policies
It is important to note that I perform all of the above actions not just for Privacy Policies, but also for Terms and Conditions, End User License Agreements and Disclaimers. After I gather the information, it’s time to analyze it and determine how polices will be affected. Stay tuned for a blog post on how that’s done!
Protect yo’ self,
Team Termageddon