Shopify provides a free privacy policy generator at https://www.shopify.com/tools/policy-generator. It’s from a large and reputable company, so what can go wrong? Quite a lot.
Let’s get to the basics first. A privacy policy is generally required when you handle personal information. “Handle” and “personal information” are loaded terms that are not defined the same universally, but the gist should be plain. If you have a contact us form, allow users to create personal profiles, deliver to personal mailing addresses, you are likely in need of a privacy policy in virtually any developed country in the world.
The key concept driving the regulatory requirement for a privacy policy is consent. It’s simple – everyone has a right to privacy, which, broadly, is control over their personal information. Your business should only be able to handle someone’s personal information with their consent. And consent is only possible with transparency. The privacy policy provides clarity on how a business handles personal information by answering the who, when, what, where, and why questions. Shopify answers these questions in their policy:
- Personal information we collect
- How do we use your personal information?
- Your rights
- Data retention (read as, how long do we keep your information)
Privacy Policies are Easy… in theory
In theory, privacy policies are just statements about how you handle data. It shouldn’t be hard, and so I do scoff sometimes when small businesses reach out to lawyers to draft expensive policies. The truth is that you are not likely collecting data in a novel way. Newsletters, account profiles, and mailing addresses likely cover most cases on the internet. With this mindset, you can imagine why there are a variety of privacy policy generators out on the internet. If you are aware of the pitfalls, they are fantastic starting places that can save you the trouble and cost of going to a lawyer.
Being Truthful – Read your documents!
The fact that the tool is being offered by Shopify might itself be a tip to why it’s flawed. The actual tool gives no warnings that the privacy policy it generates is entirely designed for a Shopify eCommerce site. It shows up in the first sentence of your privacy policy, but you’d be surprised how often I’ve seen the Shopify tool recommended on social media for app developers or brick and mortar stores.
This Privacy Policy describes how your personal information is collected, used, and shared when you visit or make a purchase from https://reference.legal/ (the “Site”).
Shopify Privacy Policy – Generated Text
Other privacy policy generators focus on different products. Nevertheless, it’s important to stress the obvious. You need a privacy policy that is accurate to your practices. Which means, you should be reading the output. I know there’s an aversion to reading legal documents, but skim if you must. The red flags should be obvious to anyone who takes a quick glance.
One of the biggest pitfalls you can make with a privacy policy is posting one up without considering whether it is true or accurate. For example, if you state that you do not sell personal information to third parties in your privacy policy, but your business practices change, or you were never accurate in the first place. There are loads of scenarios where that can backfire:
- Privacy regulations require accurate policies (duh)
- Consumer protection regimes might consider this false advertisement or misleading statements
- Contracts between you and your users may reference the policy, and may be considered a breach of contract
- Your insurance may not cover you if you were inaccurate about your practices
Compliance – Changes in the Law
The next pitfall is not following up on changes in privacy law. Privacy law is one of the fastest developing areas of the law. Right now, the United States have more than two dozen bills with proposed changes. It’s unreasonable to ask business owners to keep up with an area of the law. However, privacy policy generators create a privacy policy on a fixed date and the document does not change. A serviceable privacy policy from 5 years ago likely will not have the text to keep it in compliance today.
Some providers help by providing living documents. Termageddon, for example, provides a service that will continually notify you and provide updated text for your privacy policies. Another alternative is just to revisit the matter once every several years with a new privacy policy generator.
When you embed a Termageddon policy onto a website, it will automatically be updated with newly required disclosures whenever the laws change.
Termageddon – Explainer
reference.legal’s Privacy Policy Generator/Template
reference.legal’s approach to everything is intuitive and low tech. Our privacy policy template is at https://reference.legal/v1/forms/privacy/privacy-policy/LATEST/. We have some default text that you should obviously overwrite with your own use case.
More importantly, the sections on Individual Rights and the Right to Contact a Data Protection Authority are hyperlinks to other sections of our website. The idea is that we will continually keep the description of the rights and contact information of the various Data Protection Authorities up to date. If your privacy policy refers to those sections, you will not have to ever update your own text, and we take care of that for you. No accounts, no subscriptions, no intervention on our part whatsoever. Our approach is honed from years of experience trying to standardize contracts.
This is not a new idea. Major companies like Electronic Arts have webpages dedicated to their legal function. They may have a myriad of products, each with their own privacy policy, but each policy refers to a central area to exercise data privacy rights. Other companies have standard language across all their policies or a similar structure and format. We’re just thinking about this at scale to help smaller businesses. Instead of managing a dozen privacy policies under one brand, the same approach can be taken to manage millions of policies across all brands.