Top 5 mistakes startups make with their privacy policies

Privacy policies are a critical pre-launch step for many web based companies. But not all privacy policies are created equal. Here are the top five common mistakes we see startups make with their privacy policies.

5.    The company doesn't have a privacy policy.
Collecting information from your users without a privacy policy is remarkably risky. In some states it may even be illegal depending on the type of website you operate. For example in California, commercial websites that collect personally identifiable user information which includes information that is commonly collected by commercial websites like names, emails and addresses are required to have a privacy policy.  Even if you’re not in a state that requires your website to have a privacy policy, privacy policies are still helpful for setting consumer expectations regarding your use of their data.


4.    The company copy and pasted (insert big companies name here) privacy policy as their own.
While most major companies do employ very good privacy law attorneys to write their privacy policies, these policies are tailored for that company’s specific needs. Copying and pasting their privacy policies as your own use can lead to a whole host of problems. While some problems, like forgetting to replace their business name with your business name, hurt you more from a business and customer trust perspective. Other problems, like making promises to do things you don’t do and can’t actually do (i.e. removing user data in a set period of time), could be legally actionable. So while having a privacy policy is important, it’s even more important to have a privacy policy that fits your company’s specific needs.


3.    The privacy policy violates the privacy laws of the state in which the company is located.
Privacy law is a bit of a moving target and laws vary significantly from state to state. Certain state laws even contradict other states laws. However, as a rule of thumb it’s a very good idea to make sure you comply with any relevant federal privacy laws as well as the privacy laws of the state(s) where your business is located.  If you’re not sure what laws you need to comply with, we highly recommend consulting an attorney in your area.

2.    Consumers can’t find the privacy policy on the website.
It’s not just enough to have a privacy policy that is tailored to your company; your customers also need to be able to find it, understand it, and agree to it. Legal standards can vary as to what kind of notice is sufficient. It’s often a good best practice to make sure your privacy policy is linked (in a working link), in a legible font in the header, footer or other highly visible part of your website.  To ensure your users have agreed to your privacy policy, wherever users will be giving you their personal information it’s a good idea to clearly link to your privacy policy on that form above the send button to ensure that users have a chance to read it before they submit information.


1.    The privacy policy makes a promise the company can’t keep.
The number one rule of writing a good privacy policy is to only make promises you can actually keep. Making promises that sound privacy conscious that you can’t actually keep lulls your users into a false sense of trust and when that trust is broken it can be a PR nightmare. It can also be a legal nightmare. For example, the Federal Trade Commission can bring legal action against companies who misled their users about their privacy practices.

And as important as this rule is, it can also be the hardest to comply with because making truthful statements in your privacy policy doesn’t end with the drafting of your policy. It means making sure you keep that information up to date as your data collection practices change. It means making sure that your marketing and business teams understand what promises the company made so your advertising and business practices are in line with your privacy policy. Unfortunately, lack of communication between these teams is so common it’s become a business cliché.  But despite the cliché, making sure you only make promises you can keep in your privacy policy is the number one rule when it comes to privacy policies and the number one mistake we see startups make when it comes to privacy policies.

Are you making any of these common privacy policy mistakes? Make it your new year’s resolution to get your privacy policy in shape! If you have questions about your privacy policy or privacy law in general, feel free to reach out to New Media Rights via our contact form.

Value legal services for internet users and creators?  Support them.

Find additional articles by