7 Things People Think Privacy Policies Do (But They Don’t)

It’s tax season! That magical time of year when I stare at numbers and realize I have a firm grasp on exactly none of the complexities of the tax code.

I used to think taxes were simple. You earn money. You send some of it to the government. They use it to pave roads, improve schools, make sure that one overpass doesn’t collapse on you while you’re waiting at the red light that lasts just long enough to contemplate infrastructure, and other noble causes. Or they embezzle it all. There seems to be very little middle ground.

Then someone mentions deductions. Credits. Capital gains. Cost basis. And suddenly you realize there’s a lot more to taxes than you originally thought.

Privacy Policies are similar in that it can feel straightforward. You collect data. You add a Privacy Policy doc to your website. Now you’re all set!

Except… not quite. 

If you take the time to understand what a Privacy Policy actually does and implement it properly, you can avoid regulatory headaches and client panic. Plus, unlike taxes, doing everything correctly means you won’t have to pay the government anything.

But misunderstand what it does, or treat it like a decorative footer accessory, and you can open yourself and your clients up to serious financial and legal risk. Fines for this kind of thing start at $2,500 per website visitor whose rights you’ve infringed upon. I don’t think you’ll be able to write off those expenses on next year’s tax return.

So, let’s jump into the 7 things web designers often think Privacy Policies do… but they don’t.

Note: This is not legal or tax advice.

1) A Privacy Policy does not immediately make your website compliant

A Privacy Policy is a document that explains your privacy practices such as what information you collect, what you do with that information, and who you share it with. A Privacy Policy is created to comply with applicable privacy laws and thus must include the disclosures required by those laws to avoid non-compliance fines and lawsuits.

While it’s an important tool towards compliance and gaining the trust of website visitors, it doesn’t necessarily mean your website is compliant. You still need to ask yourself the following questions:

1. Is it a proper Privacy Policy? – There are a bunch of free Privacy Policy templates and generators out there that are far too generic to actually comply with modern privacy laws.

As mentioned above, privacy laws have very specific disclosures that must be listed within your Privacy Policy. So, your Privacy Policy must be written by an attorney or created by a generator that is able to ask you about your business practices, find out which laws apply to your business, and what disclosures are required by the applicable laws.

It sounds obvious, but many Privacy Policies are simply privacy placebos that trick website owners into feeling compliant, but they’re really not.

2. Do you need other policies? – Depending on your website or what products you’re offering, you may also need a Terms of Service, Cookie Policy, or Disclaimer to comply with certain laws or regulations. 

3. What about consent? – Several privacy laws require you to get consent before placing cookies onto people’s browsers. So simply disclosing your cookie practices (via your Privacy Policy) may not be good enough if laws like GDPR, PIPEDA, CIPA, or CPRA apply to you. 

2) Users agreeing to my Privacy Policy does not allow me to do whatever I want with their data

A user clicking “I agree” to your Privacy Policy does not erase their statutory rights.

For example, you generally cannot:

• Waive user rights through a blanket agreement
• Override opt-out rights
• Change your business practices and not update your Privacy Policy
• Bundle consent for everything into one checkbox

Many laws require consent to be specific and informed. Accepting a Privacy Policy that mentions cookies is not the same as giving valid consent for specific cookies like marketing or analytics cookies. Many laws only allow this kind of consent to take place via a proper cookie consent banner. 

3) A Privacy Policy does not make illegal privacy practices legal

Just because you disclose that you’re doing something illegal doesn’t mean it’s okay.

For example, your Privacy Policy may list that you process personal information for targeted advertising because it’s necessary to enter into a contract with the individual. However, this would be illegal as targeted ads would be processed under the consent legal basis (e.g. GDPR and UK DPA). In addition, many privacy laws state that privacy rights cannot be waived so if your Privacy Policy states something along the lines of “I agree not to ask the company to delete my personal data”, that would not be valid.

Privacy Policies explain what you do, not legalize practices that violate applicable laws. 

4) A Privacy Policy does not automatically reassure website visitors

Yes and no. While it’s true that one of the primary benefits of a Privacy Policy is to show visitors that you care about their privacy rights, it can also massively backfire.

You will straight up offend privacy-savvy users if your Privacy Policy contains:

• Last updated in 2018
• *insert company name
• We don’t share data

Actions like the above make it seem like a website is just going through the motions and not actually taking the time to respect the privacy rights of its visitors. 

5) A Privacy Policy does not get read

I will admit that a Privacy Policy isn’t exactly a page turner… page scroller? Whatever. It’s true that many users will never once venture into your footer’s policies.

However, those who do usually know their privacy rights, value their privacy, or are attorneys looking to make sure that your website is playing nice with residents of their area.

Most restaurant visitors don’t go into the kitchen, but the ones who do are probably health inspectors and the owner better be sure it’s nice and clean in there. 

6) A Privacy Policy does not count as consent for cookies

We hit on this above, but it’s worth revisiting. It’s good to list out all the cookies your website may place on a visitor’s browser. That being said, a website is not the one that gets to decide if those cookies actually get placed on a user’s browser. That’s for the user to decide. After all, privacy laws are designed to protect users, not businesses.

A cookie banner must be clearly visible before any non-essential cookies can be placed on a browser. While a footer is fine for a Privacy Policy, consent needs to appear in a banner. It also must meet several requirements to ensure that it is not deceiving people into making choices they don’t wish to make. 

7) A Privacy Policy does not last forever

Privacy laws change. New state laws go into effect. Definitions evolve. And your Privacy Policy is expected to keep up with all of these.

Even if you use an attorney or a Privacy Policy Generator that automatically updates policies (like Termageddon), you may still have to do things like occasionally revisiting your business’s privacy practices or answer new questions to create new disclosures.

However, this is significantly easier than using a template or writing your own, in which case you’d need to regularly:

• Monitor for new privacy laws
• Read the laws to see if they apply to your business
• Pick out what disclosures those laws require
• Find out where to put those disclosures within your Privacy Policy
• Write those disclosures
• Monitor changes to existing laws 
• Monitor all of the above for each of your clients
• Monitor your mental health for having to put up with all this on top of owning a website

Conclusion

A Privacy Policy is an important part of compliance, but it’s rarely the entirety of compliance.

Treating it like a decorative footer link is risky. Understanding what it actually does, and pairing it with the right operational practices and consent tools, is what protects your clients and your agency.

Unlike taxes, a Privacy Policy is not a punishment for existing. It’s just a way to keep your website from acting as the tax man to your own visitors’ data – collecting as much as it can, as often as it can, with them having no ability to opt out.