Many companies are shocked when they learn that a government agency is about to fine them or that they are about to be subject to a class action lawsuit. These companies honestly believe they have good privacy policies and practices when, in fact, they are actually at risk. They also think that only the largest companies are fined. This is far from the truth. Small companies like the weight loss app Kurbo and Edmodo received $1M+ fines.
At Common Sense, we’ve rated over 5,000 companies on their privacy practices.
It’s not uncommon for a company to be surprised by some of our findings.
The reason these companies are surprised is that there are many misconceptions about privacy laws and how to adhere to best practices. The biggest threat for every company is change. Every business regularly alters its practices, the technology it uses, and the markets it serves. Each time a company makes a change, it needs to understand the impact these changes can have on its customers’ data privacy. Additionally, laws are changing, and new laws are being introduced.
Seven new laws were introduced since California’s landmark privacy law in 2023, with another five having taken effect in January 2025. Staying on top of these laws can be a daunting task.
To help companies mitigate this risk, we’re sharing these seven best practices every company should follow. Read more below to find out the 7 Ways You Can Avoid a Privacy Policy Disaster:
1. Re-read Your Privacy Policy at Least Once a Quarter
Every company is busy, but at a minimum, you should re-read your privacy policy at least once a quarter. Many of the companies we talk to will tell us that they don’t do X or Y, but their actual privacy policy states the opposite. This can create a lot of risk. With a quick skim, you can often find statements that no longer match your actual privacy practices. This is one of the quickest ways to catch and fix privacy gaps. Also, keep in mind that many state laws require you to update your privacy policy at least once a year.
2. Check Your Policy Whenever Your Business Changes
Change your product launch process. Make it a standard part of your process to have someone ask, “Are these changes having an impact on customer privacy?” If you start targeting a new user group or geography, this is very important. If you are using new customer acquisition strategies - especially if you are using new marketing technologies or user data tracking, this is a must!
3. Be Clear and Transparent About What You Do and Don’t Do!
Many companies don’t realize that silence about a privacy practice can be worse than a bad practice. If you don’t collect user data or sell user data, be sure to state that in your policy. When Common Sense Media ranks a company’s privacy practices, a lack of transparency scores worse than a well-documented privacy practice that takes more liberties with user data. It’s important that your customers are able to make an informed choice about whether to use your product or service. This is why being transparent around less privacy preserving practices is emphasized over staying silent on privacy practices.
4. Don’t Assume That Your Policy Is Good Just Because a Lawyer Wrote It!
Lawyers get paid to protect their clients. They are experts on how to limit their clients’ risk with a bulletproof privacy policy. However, they often are not experts on the best practices you should follow to protect user or children’s data. Public school systems frequently reject vendors simply because their privacy policies didn’t do enough to protect parent and student data privacy rights. The privacy policies protected the vendors well, but not the students and parents.
5. Learn What It Means to Sell Customer Data
When most people hear “sell,” they think a company must be receiving monetary compensation for providing user data to a third party. The actual legal definition of selling customer data is much broader. Privacy cases with Sephora and DoorDash show that, under the CCPA a “sale” of data is any disclosure of consumer personal information to third parties in exchange for a benefit. This includes the use of many marketing pixels like the one provided by Meta.
GoodRX paid a fine of $1.5M to the FTC for using marketing pixels from Google and Facebook to run targeted ads. Use of these pixels led to sharing personal data with Google and Facebook which is considered selling. In other cases, like DoorDash we’ve seen companies sharing marketing data with partners that is also classified as “selling”.
6. Understand the True Definition of Personal Data
Personal data is not just a name, email address, birthday, and social security number. It goes much further than that. A great example is location data. Over 400 apps were at risk of being dropped from the Google and Apple app stores when it was discovered that X-mode was selling location data to the US government and military contractors.
7. Keep Up to Date on New Laws and Changes in Existing Laws
Seven new U.S. state laws were introduced in 2023 and 2024 alone. Another five laws will be enacted in January 2025. It’s important for companies to track these new laws to ensure they are compliant in every state where they operate.
How Common Sense Privacy Can Help
Staying up to date on privacy laws and changes in your business can turn into a full-time job. It is also a team effort that requires support from engineering, product management, and marketing. Common Sense Privacy (CSP) takes much of the cost and complexity out of creating and keeping privacy policies and app labels up to date. CSP also helps you define the best privacy practices for your business.
