If COVID-19 forced your business online, you need to update your privacy policy

Please note: the information presented below is not legal advice and is for informational purposes only. 

When was the last time you actually read a privacy policy? I mean truly read it. Not just quickly scrolled to the bottom and skimmed the last few words as you hit the “I agree” button. 

I’m guessing the answer is probably never. 

According to a Deloitte survey of 2,000 consumers, 91% of people consent to legal terms and services conditions without reading them. That number jumps to 97% for people ages 18 to 34.

Whether it’s because people don’t know how to read a privacy policy to truly understand it or because the length and volume of privacy policies we encounter is just too much, the fact is that most people do not read privacy policies before accepting them.

When you hear “privacy policy” you may just think of a long page of legal jargon you have to click through to get to the app or website you want. But it’s much more than that. Privacy policies are part of how you take responsibility for protecting your own personal information that gets shared online.

As businesses who want to build trust with our audience, we need to show that we care about enabling our users to protect their personal data and be informed about how their data is used, stored, and protected. 

Progress in the land of privacy

As someone who is passionate about data privacy, I’ve long dreamed of the day when people would read privacy policies and actually hold businesses accountable to them. 

As we’ve moved so many of our daily interactions online due to the recent pandemic and quarantine, more people are starting to pay attention to their online privacy, finally. 

Though we still have a long way to go with getting individuals to do their own research before submitting personal data to apps and websites, the introduction of regulations such as the GDPR and the CCPA has forced businesses to take a step in the right direction with data privacy.

However, privacy policies still seem to be an afterthought for many organizations.

People not reading privacy policies in detail does not make having them any less important. They protect your business from potential lawsuits and massive fines if data is exposed. Plus, just because people aren’t reading the policies in detail does not mean they don’t actually care about their data being protected.

Plus, the recent transition of almost every daily activity to a virtual version, due to COVID-19, has sparked more interest in data privacy among users.

Who knows, people may even start reading privacy policies before clicking “accept.” 

The move online and the risks that come with it

As we frantically scrambled to move our businesses, our schools, even our family dinners online during the early days of the pandemic, many people and businesses failed to look closely at the privacy risks associated with their actions. 

Cillian Kieran, CEO and founder of privacy company Ethyca wrote in the Harvard Business Review: “Across industries, teams with expertise in real-world spaces are rushing into digital ones where they’re novices and pumping huge amounts of user data into new systems.” 

This is exactly what happened.

For many businesses to survive the pandemic and get quickly on track doing business in the newly virtual world, they were forced to jump into a variety of new tools they knew very little about. 

From moving in-person events online to accepting contactless payments, businesses adopted new technology at an alarming speed and rarely did the necessary due diligence regarding how well these new tools protect the data and personal information they were collecting. 

Unfortunately, every single solution put in place to transition to a virtual experience means risking the mismanagement of data or exposure of personal information.

Beyond just making sure the third-party tool’s privacy practices are legal and in line with your own, you are also responsible for updating your customers and subscribers to any updates to the way you process, store, or protect their personal information. 

Every time you move a part of your business online without carefully considering how the data used in that process is managed, you are risking exposure and breach of this data.

While this may seem like something that could be a secondary concern to be dealt with after the immediate crisis at hand, that is certainly not the case.

A privacy breach could result in everything from PR nightmares to large fines and even lawsuits. 

Bringing health information into the equation

This is about more than just using new tools for business transactions.

Many organizations are also collecting and sharing a brand new type of information they haven’t dealt with before: personal health information. 

Due to COVID-19, many organizations are collecting information such as temperatures and known exposure to those positive for the virus. They’re also tasked with sharing if someone has tested positive with those who may have been directly exposed. 

For example, if an employee tests positive for COVID-19, it may be necessary to disclose this information to other employees who may have been exposed to this person at work.

However, this information cannot be disclosed without the individual’s consent.

You’ll also need to be sure any COVID-19 related information about an individual is kept safe and secure, with access limited only to those who have permission to acquire it. 

Your business may need to develop policies and procedures for disclosure of any COVID-19 related information about employees.

While privacy policies do not need to be written by a legal professional, you should consult one familiar with online data privacy practices and regulations to make sure your policy covers everything it should.

There are also some tips and tools available later in this article to help you.

Should you update your privacy policy?

Let’s back up for a minute. First of all, what exactly is a privacy policy?

A privacy policy is a statement that explains the types of personally identifiable information you gather from users of your website as well as how you use, store, and disclose that information. 

Exactly what is required of your privacy policy depends on where you’re located, where your customers are located, and what type of information you collect.

While the United States does not have a national privacy law like the European Union’s GDPR, the Federal Trade Commission (FTC) will take action against any company that behaves in a way that is inconsistent with its privacy policy. 

The FTC is focused more on consumer protection than privacy, but the two are quickly becoming one and the same as so much of our lives now take place online.

What this means is you can absolutely find your business in big trouble if you don’t take this seriously.

Because of the potential financial and reputation-related risks a data breach can have on an organization, many companies are taking the necessary steps to update their practices and policies due to changes prompted by COVID-19. 

Examples of recent privacy policy updates

Take Uber for example. As the ride sharing service realized the need to alert passengers or drivers if they’ve been exposed to someone who tested positive for COVID-19, it has issued a privacy policy notice to customers stating exactly how it would do this. 

My coworking space, Industrious, released a great updated privacy policy specifically regarding its new COVID-19 procedures, which include taking members’ temperatures upon arrival each day.

The policy covers how they store and share this information in a short and simple but comprehensive statement. It covers the necessary items which include how they will store, retain, protect, and share your data. 

I’m sure at some point during the quarantine you’ve used Zoom to meet online.

While Zoom was one of the top apps people flocked to at the beginning of the health crisis, the company was soon criticized for many of its questionable privacy practices, including being accused of selling personal data, analyzing user videos for ads, and tracking people’s attention during calls. 

The company updated its privacy policies to clarify some elements and stated that some features would be completely disabled, such as attention tracking.

While the attention tracking feature was not nearly as scary as most people took it to be, Zoom understood that its users felt jeopardized and knew that it was time for action. 

While making changes to your privacy policy may seem intimidating or even unnecessary (who’s going to read them anyway?) having an accurate, up to date, and easy to understand privacy policy can save you from massive fines and lawsuits down the road.

All it takes is one informed person to question your privacy practices and adherence to your stated policy (or lack thereof). 

Don’t expect regulators to be lenient due to COVID

Depending on those enforcing the regulations to be forgiving due to the current climate is not a safe bet. In fact, they will likely be more stringent due to the rapid and risky transition to mostly virtual business. 

The Marriott Hotel Group was fined $123 million back in 2019 for failing to do the necessary due diligence regarding their data acquisition and storage. The risk of being fined only increases as more regulations come into play, such as the CCPA. 

California Attorney General Xavier Becerra has shot down attempts to delay the enforcement of the CCPA, stating: “We’re committed to enforcing the law starting July 1. We encourage businesses to be particularly mindful of data security in this time of emergency.” 

The regulations are real and important to abide by, regardless of where you are located or where you do business. 

Knowing things are not about to get any less strict, you can avoid completely unnecessary risk and preventable fines by making sure your privacy policy is accurate, up to date with your third-party vendors, and easy to understand.

This doesn’t even have to be a time-consuming or overwhelming task. You can respect your subscribers’ privacy and minimize the risk of data exposure with a few simple steps. 

How you can easily audit and update your privacy policy

There are a few things you can do to easily audit your privacy policy and make any necessary updates. These fairly simple steps will help protect your company and your audience’s data. 

Take a look at how your new third-party vendors handle data and privacy

Whether you’ve added a payment solution, webinar platform, or even started running ads for the first time (especially if you’ve started running ads for that first time) it’s important that you understand how each solution captures, stores, and protects the data it encounters. 

You may then need to update your own privacy policy to note any updates related to your new tools. It’s vital to only work with third party vendors you trust and whose privacy policies you’ve reviewed. 

One key thing to look for: your third-party solutions should not subcontract data to another data processor unless you’ve instructed them specifically to do this.

This is the only way to be sure your business is legally protected from anything a subcontracted vendor does with data.

Perform an assessment of your own data practices

A basic risk assessment, while a bit tedious, makes you think critically about making decisions that impact your data use, storage, sharing, and more.

Plus, if you are eventually charged with a violation of privacy, you will have documentation to prove you did take steps to mitigate risk of exposure. 

There are even a variety of data protection impact assessment templates available such as this one from the UK’s Information Commissioner’s Office. 

Make your privacy policy something people will actually understand 

The two things you should strive for in your privacy police are clarity and simplicity. While you do need to cover all necessary aspects regarding data you collect, process, and store, you can do so in a simple and easy to understand format. 

Your privacy policy should be accessible to all readers, not just those familiar with legal jargon. The goal of your privacy policy is to help people trust your organization, not to be so ambiguous you can get away with something due to lack of clarity. 

A perfect example of thoroughness and clarity is Slack’s privacy policy.

If your privacy policy is so out of date or hard to understand that you want to start from scratch, I highly recommend checking out Termageddon.

They help you create policies that automatically update when the laws change and are written by real people, not generated by an algorithm.

They have an easy to use and comprehensive privacy policy generator that I have used and found to be fantastic.

Editor’s Note: IMPACT may receive compensation from Termageddon if you sign up using the link included in this article. This in no way affects our recommendation.

Make sure there’s someone who owns data protection at your organization

As with most things, if there’s not one person responsible for “owning the thing” it likely won’t happen. This is even more important in times like these where changes are happening quickly and things easily fall through the cracks. 

When you assign someone to be responsible for decisions regarding data, it means there will always be someone making sure data doesn’t get overlooked in the process.

Officially, this person is often called a data protection officer or DPO. Even if you don’t assign an official DPO at your organization, someone should be the main contact who is to be consulted before any decision regarding data or vendors is made. 

Even if the person responsible isn’t well-versed in data privacy laws and regulations, you need someone to be the ultimate owner of making sure these things are indeed addressed, even if it means reaching out to your organization’s legal representative.

Ideally, this is someone who has a passion for data or is interested enough to stay educated on the topic, while not necessarily making it their whole job.

I do this for IMPACT!

Is your business protected with an accurate privacy policy?

As more people start to look more closely at their privacy online, are you prepared with a privacy policy that covers your business? 

Assign someone at your organization to be the owner of your data privacy practices and consult them before making any further decisions regarding technology and data.

Consider doing an audit of all the tools you use and exactly what data you collect, how it’s stored, and how it’s protected.

Make sure your privacy policy is up to date, including any changes you may have made due to moving certain parts of your business online or implementing new digital solutions that collect, store, or process personal information.

Finally, make sure your privacy policy is easy to access and understand, and is shared with your audience.