To keep your Privacy Policy legally compliant, you will need to review and update it at least once in every 12 month period.

Doing an annual update will make sure your Privacy Policy is accurate and up to date, and that it includes any additional information that new or updated privacy laws may require.

This article will explain why you need to do an annual review of your Privacy Policy, how to best do this review/update, and provide tips for making your update process as streamlined and effective as possible.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



What is a Privacy Policy?

A Privacy Policy is a legal document that discloses information about the following:

  • What personal information is collected, and how
  • How the collected personal information is used, and why
  • What user rights are legally guaranteed to users, and how to exercise them
  • Whether data is shared or sold, such as to a third party
  • How users can contact you with questions, including privacy related inquiries

Here's the table of contents from EquiLife's Privacy Policy that shows the types of information presented in this document:

EquiLife Privacy Policy table of contents

Who Needs to Have a Privacy Policy?

The short answer is that anyone with a website, app, or platform that the public can access should have a Privacy Policy.

Privacy laws legally require a Privacy Policy whenever personal information is collected or processed. Without one, you will be in violation of the law.

However, even if you don't collect or process any legally protected personal information, you should still post a publicly-facing Privacy Policy because people expect to see one.

Why Have a Privacy Policy if Not Legally Required?

Even if you aren't legally required to post a Privacy Policy, you should have one anyway because consumers and authorities expect to see one.

Not having a Privacy Policy can make you look untrustworthy, even if you aren't. You may also be at risk for a compliance audit to prove that you aren't collecting or processing any personal information and not disclosing it.

Why Should You Update Your Privacy Policy Annually?

The two main reasons why you need to update your Privacy Policy annually are:

  1. To comply with new and updated privacy laws
  2. To stay accurate and transparent as your business grows or changes

Even if no new privacy laws affect your jurisdiction, and your business practices remain the same, it's a best practice to review your Privacy Policy at least once a year and change the effective date to reflect the date you reviewed it.

To Comply With New and Updated Privacy Laws

New privacy laws are being implemented globally at a fast pace. Similarly, existing laws are often updated with additional requirements.

When either of these things happen, your Privacy Policy can go from compliant to being in violation of the law if you don't update it accordingly.

Additionally, almost every privacy law either directly or indirectly requires that a Privacy Policy be accurate, transparent and up to date. Some, like the CCPA/CPRA, require that a Privacy Policy be reviewed and updated at least once a year (every 12 months):

CCPA: Update Privacy Policy every 12 months clause

And under the GDPR and its Right to be Informed, a Privacy Policy must be transparent, which means it accurately discloses things like what personal information is collected and how it is used:

GDPR Right to be Informed excerpt

Here's an excerpt from the GDPR's Article 13 that explains how information must be provided to data subjects when personal data will be used for purposes other than which it was originally collected:

GDPR Article 13 excerpt

This means that if you start collecting and using different forms of personal information, the GDPR requires that you disclose this and communicate the changes to people. This can be done via a Privacy Policy update.

And here's how the ICO summarizes steps to take when changing what types of personal information is collected:

ICO Right to be Informed: Changes to the information excerpt

Updating your Privacy Policy regularly in accordance with new and changing privacy laws will help ensure your policy stays compliant.

For example, if a law changes to state that you must note the exact security measures that you use to protect personal data, and your existing Privacy Policy only states in general that you keep personal data secure, you will need to update the policy to remain compliant.

To Stay Accurate and Transparent With Business Changes

As your business, blog, app or other outlet grows, it will surely change. You will need to update your Privacy Policy to reflect any changes that affect your collection or use of personal information.

For example, if you start a new SMS messaging marketing campaign and begin to collect phone numbers for this, you will need to update your Privacy Policy to disclose that you collect phone numbers, and will use them for marketing purposes. Collecting the phone numbers without disclosing this in your Privacy Policy will be a violation of privacy laws.

How to Annually Update Your Privacy Policy

When annually updating your Privacy Policy, do the following:

  • Conduct an internal audit of your data practices
  • Review any new or updated laws that apply to you
  • Update or add clauses
  • Add the date of the update
  • Notify users of the updates

Conduct an Audit of Data Practices

Doing an audit of your data practices will help you to get a fully accurate picture of what's going on with your business in relation to personal data collection and use.

During an audit, you will map your data flows by sitting down with any relevant employees (such as an IT team) and determining exactly how data (personal information) flows into and through your business.

Here are some questions to ask during this stage:

  • What personal information do you collect? - Note all of the personal information you currently collect. Have you started collecting any new types of information since you wrote your Privacy Policy? Maybe you expanded into collecting email addresses to send out a new newsletter you started, or you created a rewards program on your ecommerce store that collects birthdates.
  • What methods do you use to collect it? - Make a list of all of the ways that you collect or obtain personal information. What do you obtain directly from the user, and what do you collect indirectly or through a third party. Don't forget about information collected by cookies.
  • How do you use the personal information you collect? - Jot down every single way you use personal information. Did you recently start using an analytics program to collect insights into user behavior?
  • Who do you share the personal information with? - Consider any new third party you started working with that will have access to the data you collect. Did you start working with a third party payment processor as your ecommerce store grew?

Check out our feature article - Conducting a GDPR Data Audit - While this article is directed towards doing a data audit for GDPR compliance, many of the guidance in it can apply for general compliance as well.

Review New or Updated Privacy Laws

Many countries around the world have extensive privacy laws, and more are being legislated all the time. During your annual update, it's key to understand what, if any, new or additional legal requirements you must satisfy.

There may be a new privacy law that applies to you that you will need to comply with. Or, an existing privacy law may have been amended since your last update to have additional requirements.

For example, the CCPA/CPRA requires that a Privacy Policy include a list of the categories of personal information about users or consumers that a business has sold in the previous 12 months, or if none has been sold, there must be a statement that it has not sold personal information in the previous 12 months, amongst other specific requirements:

CCPA text: List of categories of personal information sold or shared in 12 months clause

The existing clauses in your Privacy Policy may need to be updated with additional information to make them compliant with new or updated laws. And, you may need to add completely new clauses as well.

Update or Add Clauses to Your Privacy Policy

You will need to update or add new clauses to your Privacy Policy based on the following:

  • New or amended legal requirements (as discussed in the previous section)
  • Changes to your business practices (as discussed in the Audit section)

A best practice here is to go clause by clause within your Privacy Policy and make sure each clause is fully accurate, making changes as needed. Use the information and insight you obtained during your audit, and compare it to your existing Privacy Policy content to make sure the policy reflects your actual business practices.

If you don't have an Updates clause, you should add one to your Privacy Policy. This clause will state that you retain the right to update your policy from time to time as needed, and will let users know how they can find out when and what the latest update was.

Here's an example of an Updates clause from EquiLife that explains why and when the policy may be updated, and how notice will be given:

EquiLife Privacy Policy: Updates clause

Here are some tips for addressing a few of the major types of clauses in a Privacy Policy.

What Personal Information You Collect

Add any new types of information you collect, and remove anything you no longer collect.

For example, here's a clause that lists all the types of personal information collected. To be compliant, this list must be accurate:

Target Privacy Policy: Information Collected clause

You don't have to use a list format. However, using one will make it extra easy to update your Privacy Policy, especially if your data practices change often.

How You Collect Personal Information

Add any new methods you use for collecting personal information, and remove any methods you currently have listed that you no longer use.

Here's an example of a Privacy Policy clause that lists out a variety of ways that personal information is collected, including through newsletter signups, forms, and customer service contacts:

EquiLife Privacy Policy: How we collect personal information clause

This clause shows the level of detail and clarity that you can offer your users by being thorough and accurate.

It also shows how important it is to be accurate so you don't end up misleading customers who may not think they're sharing personal information with you when they really are.

How You Use the Personal Information You Collect

Same as in the previous section, use information from your data practices audit to disclose all the different ways that your business uses personal information.

Add any new uses, and remove any old purposes that you no longer use personal information for.

Make it clear in your clause that you do not use personal information for any purposes not stated in your policy, as seen here:

EquiLife Privacy Policy: How we use your personal information clause

What Rights Users Have

New privacy laws may grant new rights to users. If the laws have changed to expand the rights of users, add the additional rights to your Rights clause.

Note how this clause notes that there may be additional rights granted to users, and encourages them to become aware of the rights:

Bumble Privacy Policy: User Rights clause

This is a good way to acknowledge that there may be additional rights beyond what you list.

However, always try to list all the explicit rights that you are certain will apply to at least some of your audience base.

If You Share Personal Information

Disclose any new third parties you have started sharing personal information with since your last update.

If you don't share any personal information, disclose this as well, as seen here from Beekeeper's Naturals:

Beekeeper's Naturals Privacy Policy: Third parties clause

In contrast, if you do disclose personal information, be detailed and specific about who you share it with, as seen here:

Chick-fil-A Privacy Policy: Disclose information to third parties clause

If you share personal information internationally, make sure you note that you follow safeguards and relevant laws.

Regional-Specific Notices

As new privacy laws pop up around the world, they may require specific notices to be included in your Privacy Policy.

These notices will outline relevant information for people who the regional law applies to.

Here's an example of a notice for residents of the EEA, UK Switzerland within EquiLife's Privacy Policy:

EquiLife Privacy Policy: Lawful basis for processing for residents of the EEA UK and Switzerland clause

And here's one tailored for California users from the same Privacy Policy:

EquiLife Privacy Policy: Notice to California residents clause

Update the Effective Date

Update the effective date of your Privacy Policy to make it clear to authorities and the public that you have indeed updated your policy within the last year.

Typically this will be found at the beginning of a Privacy Policy, but some companies choose to put it at the end instead.

Here's an example of it place at the top of a Privacy Policy:

EquiLife Privacy Policy with updated date highlighted

How to Notify Users of Your Annual Privacy Policy Update

After you update your Privacy Policy, notify users about this. This will give them the opportunity to review the changes and decide if they still feel comfortable sharing personal information with you based on any of the changes.

Some ways you can update users of your annual updates/changes include:

  • Sending out an email that notes the changes and links to the Privacy Policy
  • Displaying a pop-up banner or notice when someone visits your website after the update, informing them of the update

As noted earlier, your Updates clause will help inform users how you will be giving notice, and how they can check to see the date of the last update.

Here's an example of an email that announces a Privacy Policy update, summarizing what changes have been made and linking to the full document:

New York Times Privacy Policy update email screenshot - 2024

Here's an example of how a pop-up or banner notification can be used to give notice about the updated policy. This type of notice would pop up when someone visits your website to help ensure the user knows of the changes and has a chance to learn more about them:

Generic updated agreements notice

You typically do not need to re-obtain consent for your Privacy Policy after doing updates.

However, if you fall under the scope of the GDPR and rely on consent as your lawful basis for processing the information, you will need to re-obtain consent for the policy changes.

Otherwise, it's enough to do the following:

  • Provide notice of the updates, as discussed in the previous section, and
  • Let users know that by remaining one of your users, they're showing agreement to the changes/updates
  • Give users a way to opt out from having their data collected or used, at any time

In the following email from GasBuddy, note how it summarizes the changes/updates to the policy, then gives its users instructions on how to opt out or adjust privacy settings:

Screenshot of GasBuddy Privacy Policy update email

Summary

At least once every 12 months, you will need to review and update your Privacy Policy.

This is to ensure the policy stays compliant with an ever changing legal landscape, while also accurately reflecting the current business practices.

Start by doing an audit of your data practices to get a fully accurate view of what your company is doing.

Next, get familiar with any new or updated laws that apply (or will apply) to you.

Go through your Privacy Policy line by line, clause by clause and make sure it's compliant with any new legal requirements, and that you update the specifics of each clause as needed by removing and adding information.

Send out a notice by email or website pop-up banner that lets your users know that your Privacy Policy has changed, and how they can opt out or adjust their privacy settings if they are unhappy with the changes.

After doing your policy update, don't forget to change the "last updated" or "effective" date, usually located at the top of the policy. This will show authorities that you're taking steps towards compliance, and will show consumers that you value their privacy and privacy rights.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy