The fact is that most companies know by now that they need to have a Privacy Policy. Most modern websites collect personal information such as names, emails, phone numbers and IP addresses through features such as contact forms, email newsletter subscription forms, account creation forms, eCommerce, analytics or advertising, thereby subjecting the business to privacy laws, which require them to have a Privacy Policy. When it comes to Privacy Policies, there are a few basic standards that need to be met. First, the Privacy Policy must include all of the disclosures required by the privacy laws that apply to the business. Second, the Privacy Policy needs to be updated for changing legislation, rules and regulations. And, lastly, the Privacy Policy must accurately state the business and privacy practices of the website owner. Whether through haste, misunderstanding, or lack of knowledge, this last requirement is one that many business owners struggle with. In this article, we will discuss the most common elements of a Privacy Policy where we see untruthful statements, causing business owners to be at risk of fines, lawsuits, and even customer ire.
What personal information is collected through the website
The first part of a Privacy Policy that frequently contains false statements is the section that describes what personal information is collected through the website. Many website owners incorrectly assume that their website does not collect any personal information, that they do not need to list the personal information that they collect because the individual is providing that information voluntarily, or they do not update this section when their website changes (e.g. an email newsletter subscription form was added but the policy was not updated to state that emails are being collected).
To ensure that this section accurately reflects privacy and business practices, website owners should perform a thorough review of their website, including all potential features that could be collecting personal information. For example, the website owner should review the front end of their website to see what forms such as contact forms, email newsletter subscription forms, or account creation forms are in place and what information they request the website visitor to provide. In addition, an analysis of the back end features of the website should be performed as well. For example, tools such as Google Analytics, the Meta Pixel, reCAPTCHA and even YouTube videos can collect personal information from website visitors. After the analysis is performed, you should have a comprehensive list of the personal information that your website collects and this list should go into the Privacy Policy.
It is important to note that the fact the individuals are providing this information voluntarily does not mean that you are exempt from Privacy Policy requirements. Voluntarily providing the information is relevant only to the legal basis (more on that below), but all information must be covered in the Privacy Policy, regardless of whether or not it is provided voluntarily. Lastly, if your company updates its website to collect more personal information than it did previously, the Privacy Policy must be updated to reflect this change as well.
Legal basis of processing personal information
Certain privacy laws such as the General Data Protection Regulation (GDPR) and the United Kingdom Data Protection Act (UK DPA) prohibit the collection and processing of personal information unless a specific exception, also called a “legal basis” applies. Most businesses state in their Privacy Policy that they collect and use all personal information under the “consent” legal basis, meaning that the individual provided their information to the business voluntarily and agreed to their personal information being collected and used. While this is the correct legal basis for responding to contact form inquiries or to sending email marketing, it is not always the appropriate legal basis for other uses.
For example, if a customer purchases a product from your website and you need to process their personal information to ship them the product, the appropriate legal basis would be performance of a contract. In addition, if you need to process the personal information to pay a sales tax, then you would want to use the legal obligation legal basis.
The inappropriate use of legal bases is not only an issue that can lead to a hefty fine, it can also remove your access to customer information that you actually need to run your business. This is because individuals residing in certain areas such as the EU or the UK have the right to revoke their consent. So, if you collect and use their personal information under the consent legal basis and consent is revoked, you can no longer retain or use their personal information. This means that you may not be able to send your customers information about billing, their purchases, or other similar business emails if they revoke their consent. It is important to assign the appropriate legal basis to the processing of personal information and to list it accurately within your Privacy Policy so that you can continue to operate your business and use personal information for the purposes for which it was collected.
Sharing of personal information
If I had a dollar for every time that a business owner, a contact form, or a website told me that they “do not share personal information with anyone”, I’d be rich. This is a very common misconception that is seen all over websites and Privacy Policies and it is probably the most common red flag of privacy law noncompliance.
The fact is that most (if not all) modern websites will share personal information with third parties, which is a completely normal practice. For example, if you receive an email whenever someone submits a contact form on your website, you are sharing personal information with your email service provider. If your website is built on a CMS such as WordPress, WordPress will store a copy of the form in the backend and thus personal information is shared with your CMS. If you sell physical products on your website and then ship those products using a third party provider such as FedEx or USPS, then the personal information (name and address) is shared with the shipping provider. If you send email newsletters through a service such as MailChimp or Constant Contact, the email addresses are being shared with the email marketing provider. There are many other examples of sharing personal information and it is almost impossible to have a modern website without sharing personal information.
While it may seem scary, it is important that your Privacy Policy accurately states that you do share personal information (if that is the case). If you are unsure, think of all the vendors that you use and which vendors may gain access to your website visitors’ personal information. You can also use your website as a regular visitor and submit your information to each feature of your website that asks for personal information – which vendors end up receiving access to that personal information? Which vendors track you as you use the website (e.g. Google Analytics or Meta Pixel)? Those are the vendors that you (as the website owner) would be sharing personal information with.
Information retention
Another section of the Privacy Policy where I often see untruthful statements is the information retention section. The purpose of this section is to state how long you will keep the information that is provided to you. Usually, this disclosure states that information is kept:
- For a certain period of time (e.g. 7 years from the date of submission); or
- Until a certain factor is met (e.g. until the individual who provided the information is no longer a customer.
Individuals rely on this section to determine how long their information will be kept and when it will be deleted.
The mistake that most businesses make here is the assumption that they can keep information indefinitely. Therefore, they put in an arbitrary amount of time or state that they will retain the personal information until the individual asks them to delete it. However, privacy laws dictate that information cannot be retained indefinitely and that businesses need to have a clear data retention schedule. So, for example, instead of stating that information will be retained indefinitely or until the individual requests deletion, it makes more sense for the business to state that the information will be deleted once the individual unsubscribes from newsletters (for email marketing) or until they are no longer a customer, if that’s what applies. And, if the Privacy Policy states that, then you must ensure that you delete the personal information at the appropriate time as listed in your Privacy Policy.
Transferring data
Many privacy laws require businesses to disclose whether they transfer personal information outside of the country in which the individual resides. For example, if an individual resides in the European Union, they have the right to know whether their personal information will be transferred to another country, such as the United States. This is because certain countries do not provide the same privacy protections as others (e.g. the United States does not have a federal privacy law that applies to information commonly collected through websites). When it comes to this section, many businesses incorrectly assume that they are not transferring personal information outside of their country. This is erroneous because:
- You need to disclose whether you are transferring personal information outside of the website visitor’s country. For example, if the website visitor is in the EU and you are a US company, you are transferring personal information outside of the EU and into the US;
- You need to keep in mind the vendors with whom you are sharing personal information. For example, let’s say that the website visitor is in the EU and so is your company. However, you use MailChimp for email marketing, which is a US-based company. You are sharing personal information with MailChimp, and thus personal information is transferred to the United States.
As you can see from the above, there are a lot of misconceptions about privacy that cause businesses to have untruthful statements in their Privacy Policies. Hopefully, this article has helped clear up some misconceptions and that after learning these facts, you can go in and update your Privacy Policy to accurately reflect your actual business and privacy practices.
