If you look through your emails, chances are that you have received quite a few “we have updated our Privacy Policy” emails lately. You may even be asking yourself why is every company updating their Privacy Policy? Perhaps more importantly, you may be asking yourself whether you need update your website’s Privacy Policy as well. Generally speaking, the answer to “why is every company updating their Privacy Policy” is as follows:
- Increased enforcement of existing privacy laws;
- Updates to existing privacy laws that change the required Privacy Policy disclosures;
- Passage of new privacy laws; and
- Changes to privacy practices.
In this article, we will discuss the above reasons for Privacy Policy updates so that you know why they occur and whether you need to update your company’s Privacy Policy too.
Table of Contents
Increased enforcement of existing privacy laws
The collection of Personally Identifiable Information (PII) such as names, emails, phone numbers and IP addresses by websites is regulated by the following privacy laws:
- California Consumer Privacy and Protection Act (CalOPPA);
- California Privacy Rights Act (CPRA);
- Delaware Online Privacy and Protection Act (DOPPA);
- Nevada Revised Statutes Chapter 603A;
- Personal Information Protection and Electronic Documents Act (PIPEDA);
- General Data Protection Regulation (GDPR);
- United Kingdom Data Protection Act of 2018 (UK DPA);
- Australia Privacy Act of 1988.
- Oregon Consumer Privacy Act
- Utah Consumer Privacy Act
- Virginia Consumer Data Protection Act (VCDPA)
- Colorado Privacy Act
- Connecticut SB6
What a lot of business owners do not realize is that these laws can apply to you even if you are not located in the state or country in which they are passed. For example, one of California’s privacy laws, CalOPPA, applies to any website that collects the PII of California residents. This means that virtually any modern website with a contact form needs to comply with CalOPPA. These laws require certain websites to have a Privacy Policy that contains a series of very specific disclosures and can impose heavy penalties for failing to have one. Fines for non-compliance can range from $2,500 per website visitor whose privacy rights you infringed upon to €20,000,000 or more in total.
As consumers have started to care more about their privacy and thus complain about privacy abuses, the number of fines being issued to companies for privacy law non-compliance has also increased. While only the larger fines such as WhatsApp’s €225 million fine for an unclear Privacy Policy have made the news, many are surprised to learn that hundreds of smaller companies have been fined as well. For companies that have not had a Privacy Policy that contains all of the disclosures required by the laws that apply to them, this has been a wake up call. Rather than waiting to be fined, they have updated their Privacy Policies and sent their customers emails informing them of the changes. While it is always best to comply with laws from the start, these companies are showing that it is best to get back on track with a compliant Privacy Policy as soon as possible.
Updates to existing privacy laws
The second answer to the question of why is every company updating their Privacy Policy is changes to existing privacy laws. Companies that have a Privacy Policy that complies with the laws that apply to them may also need to update their Privacy Policy when those laws change. As tracking technologies, consumer expectations with regard to their privacy and company privacy practices change, privacy laws are often updated to keep pace with these changes as well. For example, in October of 2019, Nevada’s privacy law, Nevada Revised Statutes Chapter 603A was updated with Senate Bill 220. The update required Privacy Policies to include additional disclosures – whether PII is sold and how consumers can opt out of such sales. So, that is the reason why many companies were updating their Privacy Policies in late 2019.
Another great example of changes to privacy laws is the changes to the regulations for the California Privacy Rights Act (CPRA). Regulations are a set of rules that are used to implement the specifics of a particular law and are often used as a guide on how to comply with the requirements of that law. The regulations of the CPRA have been updated multiple times and these updates have led to new disclosures being required in some Privacy Policies.
Lastly, a lot of companies were updating their Privacy Policy when the United Kingdom left the European Union in 2020. Prior to Brexit, Privacy Policies stated the rights that applied to residents of the European Union, where European Union residents could file a complaint about the handling of their PII, and whether PII would be transferred outside of the European Union. Once the United Kingdom left the European Union, Privacy Policies had to be updated to include these disclosures for residents of the United Kingdom.
As you can see, updates to existing privacy laws and their regulations is also an answer as to why is every company updating their Privacy Policy.
Passage of new privacy laws
With no federal privacy law in the United States governing the collection of PII by business websites, states are taking it upon themselves to pass privacy laws that provide privacy rights to their residents. In fact, there are over a dozen proposed privacy bills in the United States right now that, if passed, would require new disclosures to be included in Privacy Policies. And, with so many bills being proposed, laws are being passed at an increasing rate. For example, the following privacy laws were recently passed and will go into effect in the coming years:
- NJ SB 332 (effective January 16, 2025)
- Delaware (effective January 1, 2025)
- Oregon Consumer Privacy Act (effective July 1, 2024)
- Texas Data Privacy and Security Act (effective July 1, 2024)
- Montana Consumer Data Privacy Act (effective October 1, 2024)
- Tennessee Information Protection Act (effective July 1, 2025)
- Indiana SB5 (effective July 1, 2026)
- Iowa SF262 (effective January 1, 2025)
- New Hampshire SB 255 (effective January 1, 2025)
- Kentucky HB15 (effective January 1, 2026)
- Nebraska LB1074 (effective January 1, 2025)
Changes to privacy practices
The last answer to the question of why is every company updating their Privacy Policy is changes to privacy practices. Your Privacy Policy needs to accurately reflect your privacy practices or it can be confusing or even deceptive to consumers. For example, if your Privacy Policy states that you do not sell PII but you do actually sell it, your Privacy Policy is not accurate and could thus be in violation of multiple privacy laws. It is common for business websites to update with new features that collect more PII or share the PII with new third parties. However, those website updates mean that the Privacy Policy needs to be updated as well, leading to customers receiving email updates of new Privacy Policy disclosures.
As you can see, companies often update Privacy Policies due to increased enforcement of existing privacy laws, changes to existing privacy laws, the passage of new privacy laws or changes to privacy practices. If tracking privacy bills and changes to privacy laws sounds overwhelming, use Termageddon’s Privacy Policy generator to create your Privacy Policy as we will update your Privacy Policy for you whenever new privacy laws are passed or existing privacy laws are amended.
