Why your privacy notice still sucks (even though it looks pretty)

01/08/2025

You’ve given your privacy notice a face-lift. It’s got headings, pastel icons, and a reassuring tone. It lives on a modern website. It even says “we take your privacy seriously.”

But it still sucks. Here’s why:

It’s still a wall of legal waffle – Many privacy notices are too long, full of legal jargon with an emphasis on covering the organisation’s back rather than helping people understand what’s actually going on with their data. It is not enough to mention lawful bases or data processors, you should explain them, in plain English.

If your business throws parties in Kent, not California. Peppa Pig doesn’t need to comply with CalOPPA and neither do you.

Admit it, you copy and pasted it, didn’t you – I see privacy notices lifted from templates or other organisations, barely tweaked. If yours refers to processes or platforms you don’t use or misses ones you do, that’s a problem. It is not one-size-fits all I am afraid and they must reflect your organisation’s practices, decisions and risks. This week alone I’ve seen a UK-based party company explaining how they comply with the California Online Privacy Protection Act with no mention of UK laws.

It doesn’t match what you actually do – You can’t say “we’ll only use your information to respond to your query” and then quietly add them to your mailing list, or say “we delete data after 6 months” and keep it indefinitely in backup systems. The ICO can (and does) ask for evidence that you’re doing what you said you would.

Most people don’t care which lawful basis you’ve picked, they want to know:

  • Why do you need this information?
  • Who will see it?
  • Will I get spammed?
  • Can I say no?
  • What happens if something goes wrong?

What to do instead:

  • Use language that makes sense to real people
  • Be honest about risks, not just benefits
  • Align your notice with your actual practices
  • Make it easy to find, scan, and understand
  • Review it regularly – not just when a law changes
  • Don’t rely on USA state laws if you only process data in the UK

Want a privacy notice that doesn’t suck and keeps your clients, customers and the ICO happy?
Let’s talk. No fluff. Just proper data protection.

Use the Contact Form, or email us directly: dpo@jhdataprotection.com

Leave a comment

  • The New Data Protection Complaints Process

    How are you implementing the new data protection complaints process?

  • Big Cyber Stories, Everyday Habits

    Every week, the headlines are full of major cyber incidents: ransomware attacks, data leaks, and system outages that cost millions, and that also bring significant risks to the individuals whose data is compromised. But behind many of those headlines often lie the same small mistakes that happen in every organisation, every day. It’s not always…

  • Welcome to Paradise! Please Upload Your Passport…

    QR codes, passport uploads, and missing privacy notices. Turns out I can escape the British weather, but not data protection.

  • Phishing is evolving

    15/10/2025 I managed to catch some of the ICO’s Annual Conference this week, and one of the most striking takeaways was how phishing attacks have evolved. People who once felt confident spotting a scam are now more likely to click, and they do! Apparently, the numbers of employees clicking on the links or download buttons…