5 Reasons Why You Need to Review Your Data Privacy Policy Now

‍

Without a doubt, data privacy will be a much bigger focus for small- and medium-sized businesses in 2023, as the U.S. states of California, Colorado, Connecticut, Utah, and Virginia all enact stricter privacy legislation. Similarly, the Canadian province of Quebec is also in the process of updating its data privacy laws. 

As you can imagine, each of these regulations has its own specialized requirements, so preparing for the major changes can be daunting, particularly if you’re a larger organization that does business in multiple states. However, a good place to start – no matter where you do business – is by updating your company’s data privacy policy.

What Is a Privacy Policy? 

Let’s begin with the definition of a privacy policy from TechTarget:

“A privacy policy is a document that explains how an organization handles any customer, client or employee information gathered in its operations… Most websites make their privacy policies available to site visitors.” 

Based on that definition, it’s pretty clear that your privacy policy is extremely prominent to your consumers, competitors, and regulatory agencies. So, it’s in your best interest to always keep it updated. 

Why Do I Need to Review My Privacy Policy? 

There are many reasons why you need to keep your privacy policy updated, but not all of them are legal in nature. Five key reasons are recapped below: 

1. You Need to Conform with New and Changing Regulations

As noted above, the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), and the Utah Consumer Privacy Act (UCPA) all have consumer notification requirements that could impact your company’s data privacy policy, particularly if it hasn’t been updated recently. Quebec’s Private Sector Privacy Act also imposes strict requirements on affected businesses. 

2. Government Entities Will Become More Vigilant About Potential Violations

Many financial analysts predict that global economic growth will slow in 2023. With that in mind, we can anticipate that government entities will become much more proactive in assessing fines for violations of data privacy regulations.  

For example, the California Attorney General’s office announced in August 2022 that cosmetics retailer Sephora would pay $1.2 million in fines as a result of its California Consumer Privacy Act (CCPA) violations. Specifically, the State of California determined that Sephora did not tell customers it was selling their personal data, neglected to process requests from users who opted out of the sale of their data, and failed to resolve its CCPA violations within the 30-day time period required by the law.

3. It’s a Consumer-Friendly Business Practice

This aspect is frequently overlooked: Consumers are taking their personal privacy more seriously, so updating your privacy policy demonstrates that your company also takes it seriously. According to research by digital technology company Cisco, up to one-third of consumers can be considered “privacy actives” who stopped doing business with a particular organization based on its data privacy practices. 

This is especially important if your company does business with consumers who are minors. For example, the Children’s Online Privacy Protection Act (COPPA) requires an “operator” to obtain verifiable parental consent before personal information is collected, used, or disclosed from children under the age of 13. Specifically, Part 312.5 of COPPA requires consent to any material change in the collection, use, or disclosure practices to which the parent had previously consented. The new or changing state regulations referred to above can contain special data privacy requirements that pertain to minors as well.  

Recently, the U.S. Federal Trade Commission (FTC) announced that video gaming firm Epic Games will pay $275 million to the U.S. government to resolve claims that it violated the COPPA by gathering the personal information of children under the age of 13, without receiving their parents’ verifiable consent. According to the FTC, it is the largest fine the agency has ever imposed for a regulation that it enforces. 

4. Mergers, Acquisitions, and Entry into New Business Markets May Have Resulted in Obsolete Policies

Mergers and acquisitions can result in privacy policies that are misaligned with current business practices, so it’s important to take a look at your current privacy policy with fresh eyes. And, entry into new business markets can expose your company to data privacy regulations that may not have pertained to your organization in the past. 

5. Your Privacy Policy Needs to Align with How Your Company Currently Processes Data 

Data privacy regulators are taking a much closer look at the way organizations are processing their sensitive data. So, if you’ve had recent changes to your processing approach, you need to ensure that your privacy policy is aligned with current processes. 

Take Action Now

If you’d like to learn how to create a privacy policy page that can be linked to your company’s website – while aligning it with rapidly-evolving regulations – try the Egnyte Data Privacy Policy Generator now.

‍