Changing Your Privacy Policy & Terms and Conditions

James Chiodo, Certified Information Privacy Professional CIPP/US

It happens every day on the Internet. A company makes a substantial change to their privacy policy or terms and conditions agreement and continues on assuming this change will affect all its past customers.

Well, it doesn’t work that way. Fundamentally, these types of policies and agreements are contracts with your users and customers. If you want to make substantial changes in the way you handle personal information to become effective for your past users and customers, you will need to get your users and customer’s consent first.

That means contacting them by email or through some type of mail delivery service and telling them of the changes and giving them the chance to opt out of sharing information.

And putting a provision in your policies like this will not work:

We reserve the right to change the terms of our privacy policy or terms of conditions at any time, We encourage you to review these polices when you visit our website. We shall post any revision to these policies on our website, and the revision shall be effective immediately on such posting. You agree to review our privacy policy and terms and conditions posted on our website periodically to be aware of any revisions.

It’s a convenient idea, but the law does not work that way.

The courts have held that parties to a contract have no obligation to check a website’s policy or terms and conditions on a periodic basis to learn whether they have been changed by the other side. Why? Because like any other contract, your client cannot unilaterally change the terms of the contract without the other party’s consent.

Companies must mention how they change their privacy policy.

This discussion must include a description of how, if at all: (1) any changes will be communicated to visitors, users and customers; and (2) whether any changes are binding upon visitors who submitted PII (Personally Identifiable Information) under a previous version of the policy. Policy amendment procedures are important because a privacy-invasive policy creates serious threats.

Take, for example, a company that promises not to sell PII in its 2010 policy and collects thousands of email addresses. Assume further that this company has a policy allowing

privacy policy amendments at any time without getting their users or customer’s consent or providing them with notice. If this same company amends its policy in 2014 to allow selling of collected PII externally, users and customers might never know of the change – remember, people generally do not read privacy policies to begin with and rarely return to check in for updates.

Because they receive no notice of the change, they also stand a small chance of realizing that their PII is for sale on the open market. Many of these same visitors would never have submitted information under the 2014 amendment policy but find themselves bound by its terms.

Here is a Sample Change of a Privacy Policy Notice:

Notification of Changes to Our Privacy Policy

If our company decides to change our Privacy Policy, we will post those changes on our website so our users and customers are always aware of what information we collect, use, and disclose. If at any time we decide to disclose or use your personally identifiable information in a manner different from that stated at the time it was collected, we will let know by email or in writing. Otherwise, we will use and disclose our customers and user’s personally identifiable information in agreement with the Privacy Policy that was in effect, when such information was collected.

The above is just one possible provision that a website or blog owner could use.


New California & Nevada Privacy Laws Affect Website and Mobile App Owners ➞ Read More