What Is the Worst Type of Online Privacy Policy … and Why Does it Matter?
Even if the title is click-bait, this is not a trick question. There is one type of online privacy policy that is objectively worse than all of the others. It does not relate to when it was created, whether it was crafted internally or by an outside expert, or even how much (if anything) you paid to prepare the privacy statement used on your startup's website or mobile app.
The number one worst type of online privacy policy is one that a startup copies and pastes from another online service. Does this really happen? Yes – all the time. Imitation may be the sincerest form of flattery, but some copiers are so egregious that they do not carefully check and remove the references to the other company before posting it to their website.
The biggest problem—and why you should care—about copying someone else's privacy policy is that the commitments and representations made in your privacy policy create a legally enforceable obligation for your company. If the policy you copied says something that you didn't intend or doesn't match with your actual practices, then your startup could still be on the hook for those commitments.
If you fail to abide by the commitments you've made, then you may face potential lawsuits from the Federal Trade Commission, state attorneys general and, in some cases, by plaintiffs' class action lawyers. While you may have copied the policy to save time and money, it may cost you more in the end.
I get it—"they all say the same thing"—so why do I really need my own custom privacy policy? Here's why you need a custom privacy policy.
- 1. Your privacy policy represents your values – What you tell your customers about how you collect, use, and share their personal information reflects the ethos of your company. If you can't take the time to tell your unique privacy story, some customers may rightly be suspect about whether you value their privacy at all.
- 2. It is necessary in order to use many third-party online services – You know those terms and conditions that you clicked through quickly without reading for the analytics service, social media platform, and demand-side advertising platform that you integrated into your website or app? Buried in the fine print of those terms and conditions is likely an obligation that requires your company to post a privacy statement that accurately describes your data collection and use practices.
Some may even require you to include a disclosure in your policy that is specific to that third-party service provider and include a hyperlink back to their privacy policy or a consumer choice mechanism. If you breach the terms of the agreements you have with these third-party service providers, you run the risk of being suspended or even prohibited from using their services in the future. - 3. It is necessary to comply with privacy laws – Depending on the industry you're in, what types of information you collect, and where you do business, there are a variety of different legal requirements that may require your company to publish and maintain an accurate privacy policy. Copying someone else's policy may not account for state law or other obligations. Complying with applicable law is a prerequisite to running a business.
- 4. People are paying more attention to their privacy – Consumers are growing more interested in how companies collect and use their personal information, especially when their data is shared with third parties for reasons unrelated to providing the requested product or service. A poorly formulated or missing privacy policy tells consumers that your startup isn't paying attention to privacy. Class action lawyers are also paying attention and are willing to take on claims when a consumer contacts them with a privacy issue. Plus some courts are even allowing suits to proceed without any measurable harm to a consumer – just an apparent violation of applicable law. Savvy investors are also paying more attention to privacy, and you don't want a bad privacy policy to stand out in any due diligence.
While it may be tempting to Ctrl+C and then Ctrl+V your startup's privacy policy, you should take care to make sure your policy accurately reflects your company's legal oblications as well as privacy practices and commitments.
The next runner-up to copying someone else's privacy policy is allowing your privacy policy to go stale and drift away from your actual privacy practices or not remain up to date with existing or changing legal obligations. Learn more about the things you should consider when preparing or updating your privacy policy.
ABOUT THE AUTHOR – Christopher Avery is a practicing privacy and data security attorney who works with companies big and small to elevate their privacy programs and solve their data security challenges. Christopher is also the founder of his own startup, LastLtr.com.
This article was originally featured as a startup law advisory on DWT.com on September 08, 2020. Our editors have chosen to feature this article here for its coinciding subject matter.