Three Common Mistakes Companies Make with Their Privacy Policies

29th April 2015 1 Comment

The privacy policy is the core element of the overall contract between your company and the prospects and customers that share their data with you. Here are three common mistakes companies make when building or examining their privacy policies.

Reusing another company’s privacy policy as your own.
A number of companies, especially smaller and newer businesses, think of a privacy policy as simply a checklist item on the project completion timeline for getting a website up and running, and much like the standard boilerplate Terms and Conditions legalize that we find on just about every online business site these days, these companies simply copy and paste another business’ privacy policy and link it to their home page. “Done,” they think, and yet they could not be more wrong. Why? For several reasons:

  • A sloppy copy and paste job probably has identifying elements of the other company in it. Business names and addresses and states of operation as well as service names and more can make their way onto your site, making it painfully obvious you lifted the policy from somewhere else—and of course that sends a message about how serious your commitment to privacy is at the end of the day.
  • You may be promising to do something you cannot do—for example, if another service promises to purge information with 15 days of a request, but your service currently has no way to delete information at all, then you are writing a check your privacy policy cannot cash. This can get you into hot water.
  • Some privacy provisions within the United States are state specific. There are statutes and time limits and actions that are required in some states and the copy-paste action probably has not taken into account the locations of the business the privacy policy is from and the business to which this copied policy is to apply.

Never updating your privacy policy after it is first put online.
Privacy moves and transforms over time as your service evolves. Your product or service has new capabilities. You affiliate with different companies, and your marketing department and sales activities continue to develop new ways of using prospect and customer data to offer your wares more effectively. All of these developments and moves have privacy implications, and if your organization is truly committed to walking the privacy walk, you will want to regularly review your privacy policy to ensure it accurately describes your current patterns and practices. I would suggest at least a yearly review, although every six months or even more often might be appropriate for your business’ unique circumstances. Some points to consider during this review:

  • Are we collecting more information than we have previously disclosed?
  • Are we doing more with personal data than we were? What is it, if so, and what are the implications?
  • Are we still using data in the way we disclose it in our privacy policy? Is there any part of the disclosure that is obsolete or no longer applicable?
  • Are there new marketing affiliations or joint ventures to which the privacy policy should apply? Are there any to which it should NOT apply, and do we need to disclose this separately?
  • Has our contact address changed? Phone numbers? Web pages? E-mails addresses? Are there new ways for consumers to get in touch with us to exercise their rights under our privacy policy?

Not taking your privacy policy seriously.
Your customers and your prospects have increasingly serious expectations around how private their personal data is and many actively seek out privacy policies from the companies with which they regularly do business. Governments now take this concept seriously as well. Keep in mind that privacy policies are official disclosure documents and their contents set forth exactly how you intend to operate your business with personally identifiable information. At least in the United States, the Federal Trade Commission does not take kindly to companies that disclose they are going to do actions X, Y, and not Z within their privacy policies but then turn around and do X, put Y on hold, and absolutely put project Z on the fast track. You take on legal obligations to act a certain way and to limit yourself in other ways based on the information and plans you disclose in your privacy policy, so craft it carefully in a way that honors the spirit of privacy while also allowing you to operate your business effectively.

At DataSift, our mission is to provide insights while protecting the consumers identity. For more information about Human Data privacy, take a look at our ebook, Balancing Human Data Intelligence and Consumer Trust and learn about the seven principles you should consider for a privacy-first approach.



  • SecureThoughtsC

    I definitely think making security a part of company culture is important. Easier said than done of course as it needs strong sponsorship from management and that’s not always there. Interesting post 🙂

Share This