Why your privacy notice still sucks (even though it looks pretty)

01/08/2025

You’ve given your privacy notice a face-lift. It’s got headings, pastel icons, and a reassuring tone. It lives on a modern website. It even says “we take your privacy seriously.”

But it still sucks. Here’s why:

It’s still a wall of legal waffle – Many privacy notices are too long, full of legal jargon with an emphasis on covering the organisation’s back rather than helping people understand what’s actually going on with their data. It is not enough to mention lawful bases or data processors, you should explain them, in plain English.

If your business throws parties in Kent, not California. Peppa Pig doesn’t need to comply with CalOPPA and neither do you.

Admit it, you copy and pasted it, didn’t you – I see privacy notices lifted from templates or other organisations, barely tweaked. If yours refers to processes or platforms you don’t use or misses ones you do, that’s a problem. It is not one-size-fits all I am afraid and they must reflect your organisation’s practices, decisions and risks. This week alone I’ve seen a UK-based party company explaining how they comply with the California Online Privacy Protection Act with no mention of UK laws.

It doesn’t match what you actually do – You can’t say “we’ll only use your information to respond to your query” and then quietly add them to your mailing list, or say “we delete data after 6 months” and keep it indefinitely in backup systems. The ICO can (and does) ask for evidence that you’re doing what you said you would.

Most people don’t care which lawful basis you’ve picked, they want to know:

  • Why do you need this information?
  • Who will see it?
  • Will I get spammed?
  • Can I say no?
  • What happens if something goes wrong?

What to do instead:

  • Use language that makes sense to real people
  • Be honest about risks, not just benefits
  • Align your notice with your actual practices
  • Make it easy to find, scan, and understand
  • Review it regularly – not just when a law changes
  • Don’t rely on USA state laws if you only process data in the UK

Want a privacy notice that doesn’t suck and keeps your clients, customers and the ICO happy?
Let’s talk. No fluff. Just proper data protection.

Use the Contact Form, or email us directly: dpo@jhdataprotection.com

One response to “Why your privacy notice still sucks (even though it looks pretty)”

  1. Data Protection in 2026: What to Be Ready For – JH Data Protection Limited avatar
    Data Protection in 2026: What to Be Ready For – JH Data Protection Limited

    […] exist, and more about whether they actually reflect how the organisation operates. Remember the privacy notice for a small UK children’s party entertainment business that somehow managed to reference […]

    Like

    Reply

Leave a comment

  • 19 June 2026: Is Your Data Protection Complaints Procedure Ready?

    Need a Data Protection Complaints Procedure in place before 19 June 2026? The deadline under the Data (Use and Access) Act 2025 is approaching fast, and many organisations still do not have a compliant process published. Email dpo@jhdataprotection.com to find out more about reviewing or implementing your data protection complaints procedure.

  • When curiosity becomes misconduct: lessons from the Nottingham NHS records scandal

    Data protection can often be dismissed as bureaucracy, policies and “tick-box exercises”. This week’s Nottingham NHS records scandal is a stark reminder that it is something far more important than that. When staff access sensitive personal data without lawful reason, the consequences are not merely regulatory, they are deeply human. Trust, dignity and confidentiality sit…

  • ARE YOU AI READY?

    AI is already regulated. Organisations just haven’t caught up 3 May 2026 There is still a perception that artificial intelligence sits ahead of regulation. From a UK GDPR perspective, it doesn’t. The legal framework is already in place. The issue for most organisations is not a lack of regulation, it is a lack of structured…

  • When data protection doesn’t protect you.

    17/04/2026 Recently, the Information Commissioner’s Office published the outcome of a criminal prosecution. The title? Just two names:Christopher Munro and William Chipoma. No explanation. No softening. No anonymity. And that, in itself, is a powerful lesson in how data protection law really works. Data protection isn’t about secrecy There’s a persistent myth that data protection…