Whether you have a Privacy Policy or are considering creating one for your website, it’s crucial to understand that businesses collecting Personally Identifiable Information (PII) need a Privacy Policy to comply with various privacy laws. Most businesses have a Privacy Policy to meet these legal requirements because non-compliance can result in significant fines, starting at $2,500 per website visitor, or potential legal action. This article will cover who needs a Privacy Policy, the key elements of crafting one, and examples of fines related to Privacy Policies to help you understand your compliance responsibilities.
Who Needs a Privacy Policy?
If your website collects Personally Identifiable Information (PII), you need a Privacy Policy. PII includes any data that can identify a specific individual or is related to them. Common examples of PII collected by websites include:
- Name
- Phone number
- Physical address
- IP address
Websites typically collect PII through features like:
- Contact forms
- Email newsletter subscriptions
- eCommerce transactions
- Account creation forms
- Analytics tools
- Advertising features
Various privacy laws govern the collection of PII, requiring websites to have a Privacy Policy. These laws mandate specific disclosures to protect personal information. The scope of these laws isn’t limited by the size or location of a business; some apply to all businesses, regardless of revenue, employee count, or the volume of PII collected, while others may exempt nonprofits but still apply to for-profit entities. To determine which privacy laws apply to your website, consider:
- Whose PII are you collecting?
- Who do you track through cookies, pixels, analytics, or advertisements?
- Where do you do business?
- To whom do you offer goods or services?
If you’re unsure which privacy laws apply to you, Termageddon’s policy generator questionnaire can help you determine this during the Privacy Law Identifier stage.
Privacy Policy Guidelines
Contrary to popular belief, Privacy Policies are not just filled with generic, template-like language. Strict guidelines must be followed to ensure compliance with relevant laws and regulations, avoiding potential legal repercussions. Your Privacy Policy must:
- Include all the disclosures required by applicable privacy laws.
- Accurately reflect your actual business and privacy practices.
- Be easy to read and not misleading.
- Be updated with changes in existing laws and new privacy laws.
Keep these guidelines in mind when reviewing the examples of website Privacy Policy fines discussed below.
Privacy Policy Fines: Examples
Sephora
Sephora agreed to a $1.2 million settlement for violating the California Consumer Privacy Act (CCPA), recently amended to the California Privacy Rights Act (CPRA). The company failed to inform customers in its Privacy Policy that it was selling their personal data and did not handle opt-out requests properly. Besides the penalty, Sephora had to update its online disclosures and Privacy Policy to clearly state that it sells personal information.
Uber
Uber was fined €10 million for violating the General Data Protection Regulation (GDPR). The company failed to meet GDPR’s transparency requirements by not providing information on how long it retains PII, where it transfers PII, and making it difficult for individuals to exercise their privacy rights.
Black Tiger Belgium
Black Tiger Belgium, a data management company, was fined €174,640 for violating GDPR, including failing to inform individuals that their PII was being processed and not mentioning in its Privacy Policy that they have the right to opt out.
Google was fined €57 million for multiple GDPR violations, including failing to explain how PII would be used for personalized ads and across various Google products. The company also lacked a valid legal basis for processing PII as required by GDPR.
Canal+ Group
The Canal+ Group was fined €600,000 for breaching GDPR’s transparency requirements. The company did not provide sufficient information in its Privacy Policy about the retention period for PII and the categories of third parties with whom PII is shared.
WhatsApp was fined €225 million for GDPR violations concerning inadequate information about the processing of personal information. The company’s Privacy Policy did not sufficiently explain the legal grounds for processing PII or the sharing and processing of PII with other Meta companies.
Conclusion
As these examples show, having a comprehensive and up-to-date Privacy Policy is crucial to avoid privacy-related fines and legal actions. Companies have also faced fines for failing to implement proper cookie consent banners. If you don’t have a thorough Privacy Policy or a strategy to keep it current with changing requirements, contact us today.
Ensuring your Privacy Policy is extensive and current is essential for compliance and can prevent privacy-related penalties and legal actions. Contact us if you need assistance with your Privacy Policy or compliance strategy.