Why a static Privacy Policy is not a good idea

Let’s face it, as a species, we do not deal well with change. We all have a favorite restaurant, a favorite meal, and a favorite pair of jeans that we would probably enjoy forever if we could. Also, there’s a certain satisfaction in completing an arduous task such as creating your Privacy Policy that instills a hope that you will never have to look at it again – we have all certainly been there.

A static Privacy Policy is one that stays the same and does not change over time. While this approach is certainly appealing, having a static Privacy Policy is simply not a good idea. Privacy is a field of constantly changing and evolving requirements, meaning that your static Privacy Policy can quickly become obsolete and non-compliant. This can put you at risk of privacy-related fines and lawsuits, costing you a significant amount of money and headaches. In this article, we will explore these changing requirements so that you can see why a static Privacy Policy is not a good idea. 

The new era of privacy

If you’ve had a website for many years, you may still have a Privacy Policy that you got from some free template online or that you copied from your competitor five or so years ago, And, the magic of that Privacy Policy was that you never had to look at it again. Why? Because no one really cared about your privacy practices or your Privacy Policy. If a static Privacy Policy was fine five years ago, what has changed to make this no longer the case? 

When you really get down to it, we have to thank Facebook and Cambridge Analytica for the change in consumer attitudes towards privacy, from lackadaisical to concerned and willing to do something about it. In 2018, multiple journalists reported on what we now know as the “Cambridge Analytica scandal”, an incident where millions of Facebook users’ Personally Identifiable Information (PII) was harvested without consent. That PII was then used for political advertising. The scandal opened up the eyes of consumers to the dangers of providing their PII to companies online and showed them just how easy it is to lose their privacy. In fact, the scandal was so upsetting to consumers that they started to pressure their state legislatures to propose and pass privacy laws that would prevent the loss of privacy online. 

The following study results clearly illustrate changing consumer attitudes towards privacy: 

• 84% of respondents said that they are open to new state privacy laws; 
• 91% of respondents said that the right to delete PII and know how their PII is used should extend to all US citizens; 
• 52% of Americans will not use products or services that they believe have privacy issues; and 
• 93% of Americans would switch to a company that prioritizes privacy. 

It is important to note that even though the Cambridge Analytica scandal concerned two large companies with access to the PII of millions of people, consumers have not identified privacy as an issue that only large companies need to deal with. As a result, small businesses have also been swept up in this regulatory storm as well. 

Current privacy laws and who they apply to

Currently, there are multiple privacy laws in place that concern websites that collect PII from consumers. If you are unsure as to whether your website collects PII, take a look at your forms. Do you have a contact form or a newsletter sign up form that collects names, emails, or phone numbers? Have you installed analytics that collects IP addresses? If you’ve answered “yes,” then your website collects PII and multiple privacy laws may apply to you. The privacy laws that are currently in place include: 

• The General Data Protection Regulation (GPDR), which protects the privacy of residents of the European Union and will apply to you if you are offering goods or services to such residents or if you are tracking their behavior online through cookies, pixels, and analytics services; 
• The UK DPA; which protects the privacy of residents of the United Kingdom and will apply to you if you are offering goods or services to such residents or if you are tracking their behavior online through cookies, pixels, and analytics services; 
• The California Online Privacy and Protection Act (CalOPPA), which applies to any website that collects the PII of California consumers; 
• The California Privacy Rights Act (CPRA), which is a new privacy law that protects the privacy of residents of California; 
• The Delaware Online Privacy and Protection Act (DOPPA), which applies to any website that collects the PII of Delaware consumers; 
• Nevada Revised Statutes Chapter 603A, which applies to websites that collect the PII of Nevada residents and that have sufficient connections to the state. Basically, you’ll need to comply with this law if you have customers in Nevada or if you are located in Nevada;
• The Personal Information Protection and Electronic Documents Act (PIPEDA), which protects the privacy of residents of Canada and will apply to websites that collect the PII of Nevada residents in the course of business;
• Quebec Law 25 (goes into effect on September 1, 2023): applies to persons who collect, hold, use or share the personal information of Quebec residents in the course of carrying on an enterprise within the meaning of Article 1525 of the Quebec Civil Code. Article 1525 defines “enterprise” as “the carrying on by one or more persons of an organized economic activity, whether or not it is commercial in nature, consisting of producing, administering or alienating property or providing as service.” This means that Quebec Bill 64 will apply to both for-profit and nonprofit organizations that collect the personal information of residents of Quebec.
• Australia Privacy Act of 1988: applies to Australian organizations with annual turnover of more than AUD $3,000,000 and the organizations outside of Australia that have an Australian link. It also applies to the following Australian organizations even if they have turnover of less than AUD $3,000,000 per year:
  • Private sector healthcare providers;
  • Businesses that sell or purchase PII;
  • Credit reporting bodies;
  • Contracted service providers for Australian government contracts;
  • Employee associations registered or recognized under the Fair Work (Registered Organisations) Act 2009;
  • Businesses that have opted in to comply with the law;
  • Businesses that are related to a business covered by the law; and
  • Businesses prescribed by the Privacy Regulation 2013.
• Colorado Privacy Act, which applies to controllers of personal data that:
  • Conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted towards residents of Colorado and satisfy one of the following thresholds:
    • Control or process the personal data of 100,000 or more Colorado consumers during the calendar year; or
    • Derive revenue or receive a discount from the sale of personal data and collect or process the personal data of 25,000 or more Colorado consumers.
• Virginia Consumer Data Protection Act (VCDPA), which applies to persons that conduct business in Virginia or that produce products or services that are targeted to residents of Virginia and that:
  • During a calendar year, control or process the personal data of at least 100,000 residents of Virginia; or
  • Control or process the personal data of at least 25,000 consumers, and derive 50% of gross revenue from the sale of personal data.
• Utah Consumer Privacy Act , which applies to persons that conduct business in Utah or that produce products or services that are targeted to residents of Utah and that:
  • Have annual revenue of $25,000,000 or more; and
  • Meet one of the following thresholds:
    • During a calendar year, control or process the personal data of 100,000 or more Utah residents; or
    • Derive 50% or more of its annual gross revenue from the sale of personal data and controls or processed the personal data of 25,000 or more Utah residents.
• Connecticut SB6, and applies to persons that do business in Connecticut or that provide goods or services that are targeted towards residents of Connecticut and that during the previous year:
  • Controlled or processes the personal data of 100,000 or more Connecticut residents; or
  • Controlled or processed the personal data of 25,000 or more residents of Connecticut and derived more than 25% of their gross revenue from the sale of personal data.

There are also several upcoming privacy laws that will go into effect in the future months. These include:

• Iowa SF262 (effective January 1, 2025)
• Indiana SB5 (effective July 1, 2026)
• Tennessee Information Protection Act (TIPA) (effective July 1, 2025)
• Montana Consumer Data Privacy Act (MCDPA) (effective October 1, 2024)
• Texas Data Privacy and Security Act (TDPSA) (effective July 1, 2024)
• Oregon Consumer Privacy Act (OCPA) (effective July 1, 2024)
• Delaware Personal Data Privacy Act (DPDPA)(effective January 1, 2025)
• NJ SB 332 (effective January 16, 2025)
• New Hampshire SB 255 (effective January 1, 2025)
• Kentucky HB15 (effective January 1, 2026)
• Nebraska LB1074 (effective January 1, 2025)

For those breathing a sigh of relief because they are not located in these states or countries, not so fast! Privacy laws protect consumers and not businesses. Anyone from anywhere could be submitting their PII to your website meaning that you may be required to comply with multiple privacy laws, even if you are not physically located in that state or country. When it comes to the application of privacy laws, the factors that matter are: 

• Whose PII you are collecting; 
• Where you do business; 
• Where your customers are located; and 
• Who you track online through cookies, pixels, and analytics services. 

So what does this have to do with your static Privacy Policy? If we assume that you last updated your Privacy Policy five years ago, it is not compliant with GDPR, CPRA, nor the Nevada Revised Statutes Chapter 603A because these laws have been passed or amended in the last five years. Since all of these laws require changes and additional disclosures to be made in your Privacy Policy, your static Privacy Policy is obsolete and could open you up to fines and lawsuits stemming from violations of these privacy laws. 

Your static Privacy Policy is not ready for what’s coming next

Let’s assume that your Privacy Policy was drafted yesterday and that it complies with all of the current privacy laws that apply to you. It’s perfect and compliant, and you cannot wait to never look at it again. Apologies for crushing your dreams but due to the fact that the likelihood of a federal privacy law in the US is slim, and due to consumer pressure, there are now over a dozen proposed privacy bills in the United States. While all of these bills are different, they do share some similarities: 

1. All of the proposed bills would apply to businesses outside of the states in which they are passed; 
2. All of the proposed bills would require websites to have a Privacy Policy that makes very specific disclosures, requiring updates to Privacy Policies; 
3. While some of these bills include an exemption for small businesses, most still require small businesses to comply; 
4. All of the proposed bills would include new privacy rights for consumers;
5. Countries like Australia and the U.K. have proposed changes to their privacy laws that would also impact Privacy Policies.

And here is the real issue that makes having a static Privacy Policy a bad idea – the Privacy Policy will not update when new privacy laws are passed. First, this means that you will have to keep track of privacy bills yourself. Since privacy laws can apply regardless of where your business is actually located, you will need to keep track of privacy bill proposals in all states and even in other countries. Second, once a privacy law is passed, you will need to read it, interpret it, and adjust your Privacy Policy accordingly. Lastly, you will also need to update your Privacy Policy when new regulations are issued, when cases clarify compliance requirements, and when authorities issue new compliance guidelines. If you’re worried about your time, you should know that the regulations for the California Consumer Privacy Act have already been modified four times. That’s a lot of changes for a law that’s been enforceable since July 1st, 2020!

Having an up to date Privacy Policy is important because privacy laws impose heavy penalties for non-compliance. Collecting PII without a Privacy Policy can lead to fines from $2,500 per violation to €20,000,000 or more in total. In this case, “per violation” means per website visitor whose privacy rights you infringed upon. These fines can easily add up to a large amount, even if you have a few hundred website visitors per month. In addition, some of the proposed privacy laws, if passed, would allow consumers to sue businesses directly for violations, exponentially increasing the risk of costly litigtation. 

By failing to update when new privacy laws are passed and when existing privacy laws are amended, your static Privacy Policy puts you in great jeopardy of privacy-related fines and lawsuits. While it may be convenient to file your Privacy Policy away in a dusty corner of your website, this approach simply does not work anymore. When choosing the right policy provider for your business, make sure that you use Termageddon’s Privacy Policy generator, which not only helps you to create a policy that has the required disclosures that you need today but also updates your Privacy Policy when things change, which they will.