Why your privacy notice still sucks (even though it looks pretty)

01/08/2025

You’ve given your privacy notice a face-lift. It’s got headings, pastel icons, and a reassuring tone. It lives on a modern website. It even says “we take your privacy seriously.”

But it still sucks. Here’s why:

It’s still a wall of legal waffle – Many privacy notices are too long, full of legal jargon with an emphasis on covering the organisation’s back rather than helping people understand what’s actually going on with their data. It is not enough to mention lawful bases or data processors, you should explain them, in plain English.

If your business throws parties in Kent, not California. Peppa Pig doesn’t need to comply with CalOPPA and neither do you.

Admit it, you copy and pasted it, didn’t you – I see privacy notices lifted from templates or other organisations, barely tweaked. If yours refers to processes or platforms you don’t use or misses ones you do, that’s a problem. It is not one-size-fits all I am afraid and they must reflect your organisation’s practices, decisions and risks. This week alone I’ve seen a UK-based party company explaining how they comply with the California Online Privacy Protection Act with no mention of UK laws.

It doesn’t match what you actually do – You can’t say “we’ll only use your information to respond to your query” and then quietly add them to your mailing list, or say “we delete data after 6 months” and keep it indefinitely in backup systems. The ICO can (and does) ask for evidence that you’re doing what you said you would.

Most people don’t care which lawful basis you’ve picked, they want to know:

  • Why do you need this information?
  • Who will see it?
  • Will I get spammed?
  • Can I say no?
  • What happens if something goes wrong?

What to do instead:

  • Use language that makes sense to real people
  • Be honest about risks, not just benefits
  • Align your notice with your actual practices
  • Make it easy to find, scan, and understand
  • Review it regularly – not just when a law changes
  • Don’t rely on USA state laws if you only process data in the UK

Want a privacy notice that doesn’t suck and keeps your clients, customers and the ICO happy?
Let’s talk. No fluff. Just proper data protection.

Use the Contact Form, or email us directly: dpo@jhdataprotection.com

One response to “Why your privacy notice still sucks (even though it looks pretty)”

  1. Data Protection in 2026: What to Be Ready For – JH Data Protection Limited avatar
    Data Protection in 2026: What to Be Ready For – JH Data Protection Limited

    […] exist, and more about whether they actually reflect how the organisation operates. Remember the privacy notice for a small UK children’s party entertainment business that somehow managed to reference […]

    Like

    Reply

Leave a comment

  • When Someone Asks for Their Data

    15/02/2026 What Every Organisation Must Understand About Subject Access Requests in 2026 When someone asks to see the personal data your organisation holds about them, it is not a favour. It is not discretionary. It is a statutory right. Under UK data protection law, now refined by the Data (Use and Access) Act 2025, individuals…

  • Data Protection in 2026: What to Be Ready For

    24/01/2026 As we move into 2026, it’s tempting to look for the big new data protection law that will change everything overnight. In reality, that isn’t how this year is shaping up. Instead, 2026 looks set to be a year of consolidation, scrutiny and expectation‑raising. The rules themselves are largely familiar. What’s changing is what…

  • Why are the “Epstein files” so heavily redacted?

    29/12/2025 A data protection and transparency perspective When high-profile court documents are released to the public, there is often an expectation that they will reveal everything. So when the US Department of Justice (DoJ) released nearly 30,000 more pages of documents related to the late convicted sex offender Jeffrey Epstein, many people expected full transparency. Instead, they…

  • The New Data Protection Complaints Process

    How are you implementing the new data protection complaints process?