Why is every company updating their Privacy Policy

If you look through your emails, chances are that you have received quite a few “we have updated our Privacy Policy” emails lately.

If you look through your emails, chances are that you have received quite a few “we have updated our Privacy Policy” emails lately. You may even be asking yourself why is every company updating their Privacy Policy? Perhaps more importantly, you may be asking yourself whether you need update your website’s Privacy Policy as well. Generally speaking, the answer to “why is every company updating their Privacy Policy” is as follows:

  • Increased enforcement of existing privacy laws;
  • Updates to existing privacy laws that change the required Privacy Policy disclosures;
  • Passage of new privacy laws; and
  • Changes to privacy practices.

In this article, we will discuss the above reasons for Privacy Policy updates so that you know why they occur and whether you need to update your company’s Privacy Policy too.

Table of Contents

Increased enforcement of existing privacy laws

The collection of Personally Identifiable Information (PII) such as names, emails, phone numbers and IP addresses by websites is regulated by the following privacy laws:

  • California Consumer Privacy and Protection Act (CalOPPA);
  • California Consumer Privacy Act (CCPA);
  • Delaware Online Privacy and Protection Act (DOPPA);
  • Nevada Revised Statutes Chapter 603A;
  • Personal Information Protection and Electronic Documents Act (PIPEDA);
  • General Data Protection Regulation (GDPR);
  • United Kingdom Data Protection Act of 2018 (UK DPA 2018); and
  • Australia Privacy Act of 1988.

What a lot of business owners do not realize is that these laws can apply to you even if you are not located in the state or country in which they are passed. For example, one of California’s privacy laws, CalOPPA, applies to any website that collects the PII of California residents. This means that virtually any modern website with a contact form needs to comply with CalOPPA. These laws require certain websites to have a Privacy Policy that contains a series of very specific disclosures and can impose heavy penalties for failing to have one. Fines for non-compliance can range from $2,500 per website visitor whose privacy rights you infringed upon to €20,000,000 or more in total.

As consumers have started to care more about their privacy and thus complain about privacy abuses, the number of fines being issued to companies for privacy law non-compliance has also increased. While only the larger fines such as WhatsApp’s €225 million fine for an unclear Privacy Policy have made the news, many are surprised to learn that hundreds of smaller companies have been fined as well. For companies that have not had a Privacy Policy that contains all of the disclosures required by the laws that apply to them, this has been a wake up call. Rather than waiting to be fined, they have updated their Privacy Policies and sent their customers emails informing them of the changes. While it is always best to comply with laws from the start, these companies are showing that it is best to get back on track with a compliant Privacy Policy as soon as possible.

Updates to existing privacy laws

The second answer to the question of why is every company updating their Privacy Policy is changes to existing privacy laws. companies that have a Privacy Policy that complies with the laws that apply to them may also need to update their Privacy Policy when those laws change. As tracking technologies, consumer expectations with regard to their privacy and company privacy practices change, privacy laws are often updated to keep pace with these changes as well. For example, in October of 2019, Nevada’s privacy law, Nevada Revised Statutes Chapter 603A was updated with Senate Bill 220. The update required Privacy Policies to include additional disclosures – whether PII is sold and how consumers can opt out of such sales. So, that is the reason why many companies were updating their Privacy Policies in late 2019.

Another great example of changes to privacy laws is the changes to the regulations for the California Consumer Privacy Act (CCPA). Regulations are a set of rules that are used to implement the specifics of a particular law and are often used as a guide on how to comply with the requirements of that law. The regulations of the CCPA have been updated multiple times and these updates have led to new disclosures being required in some Privacy Policies. In addition, with the passage of Proposal 24, the CCPA is being updated to the California Privacy Rights Act (CPRA). The CPRA will offer new privacy rights to California consumers, thus requiring updates to Privacy Policies of companies that need to comply with the CPRA.

Lastly, a lot of companies were updating their Privacy Policy when the United Kingdom left the European Union in 2020. Prior to Brexit, Privacy Policies stated the rights that applied to residents of the European Union, where European Union residents could file a complaint about the handling of their PII, and whether PII would be transferred outside of the European Union. Once the United Kingdom left the European Union, Privacy Policies had to be updated to include these disclosures for residents of the United Kingdom.

As you can see, updates to existing privacy laws and their regulations is also an answer as to why is every company updating their Privacy Policy.

Passage of new privacy laws

With no federal privacy law in the United States governing the collection of PII by business websites, states are taking it upon themselves to pass privacy laws that provide privacy rights to their residents. In fact, there are over a dozen proposed privacy bills in the United States right now that, if passed, would require new disclosures to be included in Privacy Policies. And, with so many bills being proposed, laws are being passed at an increasing rate. For example, two new privacy laws were recently passed in the United States – the Colorado Privacy Act and the Virginia Consumer Data Protection Act. In addition, Quebec recently passed Quebec Bill 64, a new privacy law that provides new rights to residents of Quebec. Utah just passed a new privacy law, the Utah Consumer Privacy Act, which goes into effect in 2023. Lastly, Connecticut passed SB6, another privacy law that requires updates to Privacy Policies. These laws require new disclosures to be made in the Privacy Policies of businesses that need to comply with them. Thus, chances are that you will be seeing more Privacy Policy update emails prior to these laws taking effect in 2023.

In addition, certain proposed privacy bills, if passed, would allow consumers to sue businesses of any size or location, simply for collecting PII through a contact form without having a compliant Privacy Policy. Thus, if bills such as the New York Right To Know Act of 2021or Canada’s C-11, both of which include a private right of action, pass, there will be an increase in the risk of lawsuits. With an increase in lawsuits, we will see more companies both creating their Privacy Policies and updating them with new required disclosures.

Changes to privacy practices

The last answer to the question of why is every company updating their Privacy Policy is changes to privacy practices. Your Privacy Policy needs to accurately reflect your privacy practices or it can be confusing or even deceptive to consumers. For example, if your Privacy Policy states that you do not sell PII but you do actually sell it, your Privacy Policy is not accurate and could thus be in violation of multiple privacy laws. It is common for business websites to update with new features that collect more PII or share with new third parties. However, those website updates mean that the Privacy Policy needs to be updated as well, leading to customers receiving email updates of new Privacy Policy disclosures.

As you can see, companies often update Privacy Policies due to increased enforcement of existing privacy laws, changes to existing privacy laws, the passage of new privacy laws or changes to privacy practices. If tracking privacy bills and changes to privacy laws sounds overwhelming, use Termageddon’s Privacy Policy generator to create your Privacy Policy as we will update your Privacy Policy for you whenever new privacy laws are passed or existing privacy laws are amended.

Donata Stroink-Skillrud

Donata is the Co-founder and President of Termageddon, an auto-updating generator of website and application policies. She is a licensed attorney and Certified Information Privacy Professional. She also serves as the Vice-Chair of the American Bar Association's ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals. In her free time, Donata enjoys beekeeping, hunting for morel mushrooms, and walks with her husband and two dogs.
Log in below to access your courses.
Log In With Google
Forgot Password
Enter your email address or username and we’ll send you instructions to reset your password.