In today’s digital age, user privacy is of utmost importance. More than 30% of users have terminated their relationships with companies over data privacy concerns. On the other hand, 69% of users are more likely to be loyal to a brand that does not abuse their personal data. Thus, it is crucial for companies to have a clear and concise privacy policy that protects user data while promoting user loyalty.
Clearly articulating what data is being captured, how it is being used, and who has access to it is the baseline to easing your customers’ concerns.
However, the subscription industry is in a unique position where companies are expected (and required) to go above and beyond to protect their customers’ data.
“As the [subscription] industry is growing exponentially, the FTC, the State Attorneys General, the class-action lawyers are all over it,” said Linda Goldstein, Partner & Co-Leader at BakerHostetler, during her SubSummit 2022 session. “It has actually become one of the most heavily regulated industries we have – both at the federal and the state level.”
Here are six tips to protect your subscription business while cultivating loyal, trusting customers.
Avoid Legal Jargon and Speak to Your Customers Like Humans
A common mistake companies make when drafting their privacy policy is using complicated language and legalese (legal language deemed hard to understand). While it might have been acceptable in the past, users are becoming more aware and adept of digital literacy. With more data leaks and security breaches making the news, privacy policies are becoming increasingly relevant.
That said, if you want to show your customers you care about their privacy, you need to tell them, not just your lawyers. Keeping the language simple and writing at an 8th-grade reading level will ensure that users can understand the policy without having to consult a lawyer.
Try to break up your content so it is not a huge block of text. It can be intimidating and off-putting for many users.
Get Clear Consent or Agreement
Another common mistake is not obtaining your users’ clear consent or agreement. Consent must be expressly given, and pre-checked boxes can no longer be used in certain U.S. states or Europe. Companies must ensure that users have explicitly agreed to the terms of the privacy policy.
The days of assuming the user is granting consent just by visiting your website are over. Even if you do not specifically have to adhere to those laws, it is a good standard to follow and protect your subscription.
Consent needs to be affirmative, and it must require action. The most widespread practice is to include a checkbox that requires the user to click the box and proceed with their action. Your privacy policy should also be linked and easily findable in the areas where consent is being requested.
Where You Should Display Your Privacy Policy:
- Checkout pages
- Webpage footer
- Sign-up forms
- Log-in forms
Updating Your Privacy Policy as Your Business Changes
A common mistake is not updating the privacy policy as the business changes. Updating the privacy policy regularly is not only a legal requirement; it’s also good, ethical practice.
This can include changing the structure of your subscription (re-bill dates, cancellation policies, etc.) or if you introduce third-party systems or subscription bundles with other companies.
Nearly half of consumers who stay up to date on data privacy issues said they have switched companies or providers due to disagreements with a brand’s policies.
If you do share data with third parties or partners, add a section in your policy that identifies the third party, what data they collect, and what they use it for.
Using Standard Templates Without Changing
Using standard templates can be helpful, but it is important to customize them to your business and industry.
Templates are typically filled with long-winded legalese and general policies and may be missing clauses that you are required to have. Depending on what country and/or state you are doing business in, there are a lot of required items you need to include that might not be covered in a standard template.
Ensuring Your Team Understands What is in Your Privacy Policy
It is essential that anyone with access to or control of customer data is aware of the privacy policy. Even the best privacy policy on paper may not be effective in practice if the team does not understand it.
It is also important to disclose any third-party data access and avoid third parties altogether if possible. If using third parties, add a section to the policy that identifies it or them, what data they collect, and what they use it for.
Understanding International and Local Privacy Laws
The General Data Protection Regulation (GDPR) provides several rights for individuals in the EU concerning their personal information, with the specific rights dependent on the type of data, particularly highly sensitive data.
While the U.S. laws vary in detail, the rights are essentially similar to those established in the GDPR, including the right to access, correction, portability, erasure, consent, and appeal.
In addition to these rights, the GDPR outlines specific governing principles, such as privacy or data protection by design, record-keeping, data minimization, transparency, informed consent, legitimate uses, data protection officers, best cybersecurity practices, data breach notifications, employee training, and requiring appropriate contractual language.
It is important to note that these lists are not exhaustive, as GDPR has 99 articles covering various aspects of data privacy. However, understanding these rights and legal principles can help in analyzing the rapidly changing data privacy laws in the U.S. and anticipating upcoming changes.
The following are the upcoming state data privacy statutes expected to take effect in 2023:
- The California Privacy Rights Act (CPRA) came into force on Jan. 1, 2023, with most of its provisions. The CPRA modified the California Consumer Privacy Act (CCPA) and introduced individual rights like the GDPR. The CPRA also established a new state agency responsible for enforcing the GDPR, like data protection agencies in EU countries.
- The Colorado Privacy Act (CPA) will take effect on July 1, 2023. In addition to providing GDPR-like individual rights, the CPA mandates data security and contract provisions for vendors, and “high-risk” processing assessments.
- The Connecticut Data Privacy Act (CDPA) will also go into effect on July 1, 2023, like Colorado’s privacy law. It also creates GDPR-like individual rights and requires data minimization, security, and assessments for “high-risk” processing.
- The Utah Consumer Privacy Act (UCPA) will become effective on Dec. 31, 2023, and includes specific GDPR-like individual rights. It also requires data security and contract provisions but does not explicitly mandate risk assessments.
- The Virginia Consumer Data Privacy Act (VCDPA) took effect on Jan. 1, 2023, and provides certain GDPR-like individual rights. However, in 2022, the “right-to-delete” was replaced with a right to opt-out from specific processing.
It is important to keep up to date on legislation and laws that are being passed in areas where you do business; this is just the beginning of states becoming stricter with data protection policies.
Privacy Policy Made Simple
While this all might be a little overwhelming, the main point is to make your privacy policy as simple as possible. Your subscription company’s privacy policy should be:
- Readable
- Transparent
- Accessible
- Complete
- Adherent
In today’s digital age, user privacy is crucial, and subscription companies must have a clear and concise privacy policy to protect user data while promoting user loyalty.