It's important to update users whenever you make changes to your Privacy Policy in order to comply with laws and regulations. Even if the nature of your update does not require a notice to be sent by law, it's still important to send a notice to demonstrate that your business is trustworthy and cares about the privacy of its users.
In addition, it may help avoid future disputes whereby a user says they are unhappy with an element of the policy that they weren't made aware of. The user may have agreed to your previous Privacy Policy, however if you failed to notify them of any changes that affect them they could potentially take legal action.
Let's consider these reasons in more detail:
To Comply with the Law
Not only is it good business practice to provide users with an update notice, but it's often a legal requirement.
For example, if your business has customers within the European Union (EU) it will be subject to the General Data Protection Regulation, which requires companies to inform users of updates to their legal agreements.
The GDPR came into effect on May 25, 2018 and the regulation applies to any business that allows EU citizens to use their products or services, even if the business is not based in the EU.
To Meet User Expectations
People are becoming increasingly concerned with the safety of their data when accessing websites and apps. Privacy is paramount to users, as is a company's transparency about their privacy practices.
Due to the growing awareness of privacy and data protection, users not only expect to see a Privacy Policy displayed on your website or app, but they also expect to receive a notification whenever this policy changes. Users want to know what they're agreeing to and if this changes after the fact.
Update notices make your business seem more trustworthy and enables you to build a better relationship with your customers.
To Avoid Misunderstandings and Disputes
A customer has the power to take a business to court for failing to follow its own policy. Not only would this be costly, but it could damage the company's reputation.
For example, if your Privacy Policy states that you are open and transparent with users, it wouldn't look good if you neglected to tell them about a policy update. This could trigger a lawsuit.
You can avoid this happening to your business by providing users with update notices. If you've notified your users, they cannot say they haven't been informed of the changes or say it's not what they agreed to.
An update notice also gives users the chance to opt-out or to close their account if they're dissatisfied with the changes.
Children Under 13
If your website or app is targeted towards children who are under 13 years of age or if it has the potential to appeal to them, it is essential to send a privacy notification when you update your Privacy Policy.
The Children's Online Privacy Protection Act requires companies to obtain the consent of the parents or guardians of children under 13 via a direct notification if the company plans to make any changes to the type of data it collects or the way it's processed. If you're updating your Privacy Policy because more data is collected, new consent needs to be sought from parents.
What Should You Include in an Update Notice?
You should always include a link to your fully updated Privacy Policy. It's also best to Include a snapshot or summary of the changes you've made to the policy. For example, you could give a brief overview of any updated points or provide section numbers to help users find the relevant updates.
Users will appreciate a paragraph which states how the changes will affect them. If you've made a change which enhances the privacy of the user this is a great opportunity to build trust.
You may also wish to include why you've made the changes. Is it due to changes in the way your company operates or has a new law come into effect?
You should also state the date the changes come into effect. Ideally you should give users at least 2 weeks notice. If this is not possible, you can give a shorter notice period or state that the change has already come into effect.
Lastly, follow the GDPR guidance when writing your notice.
How Should You Send The Update Notice?
Decide in advance how you will send future updates so that you can include a clause in your Privacy Policy which states what method(s) you will use to notify users of changes.
There are a few different methods of sending a Privacy Policy update notice. The best way is to combine these methods so that users don't miss your update. This is particularly true if the change is significant.
Let's review some of the methods:
Email Notice
An email could be sent at the same time the change comes into effect, or prior to the change coming into effect.
It's best to send the email before the change and to advise users of the date the updated policy comes into effect. This gives users a chance to review the changes to see if they're happy with them prior to them taking effect.
An advantage of emailing your update notice to users is that it makes your business seem open and proactive. Another advantage is that the email provides you with an opportunity to include a concise summary of the changes you've made.
A disadvantage is that in order to send an email update, you'll need a list of your users' email addresses.The email also advised users when the changes would come into effect.
Pop-up Notice
A pop-up notice is a great way to inform users about your updated Privacy Policy.
The main advantage is that the notice will be the first thing users see when arriving at your site. This gives them the chance to leave the site or close the app if they're unhappy with the policy revision.
News Page or Blogpost
A further option is to post a news update or blogpost on your website advising users of the changes to your Privacy Policy.
The advantages of this is there will be space to include a summary of key changes and it doesn't require you to know user's email addresses.
A disadvantage is that users might not check your blog or news page regularly. A user could come across an old blogpost about a previous update and mistakenly believe the post related to a current update. To avoid this, make sure you clearly mark the date on the blogpost.
It's advisable to combine methods to ensure you have done everything you can to notify users of your update. This will help to prevent user grievances. Plus, if a user did bring a lawsuit, you would be able to show the court that your users weren't just informed of the updates, but that you also made them as accessible as possible.
Ascentrix Consulting has the latest security tools to help you quickly and effectively meet GDPR requirements. Contact us today for more information.