The Problem with Using a Template Privacy Policy

Written By Kellie Bubeck

It might seem tempting to think that complying with state privacy laws is as easy as Googling a template privacy policy, swapping in your company name, and calling it a day. But here’s the thing—many state privacy laws don’t apply to all companies. Whether they do depends on factors like your company’s annual revenue, how much personal data you buy, sell, or share, and how much of your revenue comes from selling or sharing that data. Some states also have exemptions for certain nonprofits and specific types of data, i.e., employment records.

Using a generic template that assumes you're subject to all state laws can create unnecessary headaches and waste resources. Worse, if you claim compliance with laws that don’t actually apply to you and fail to follow through, you could be misrepresenting your business practices—and that could trigger a state investigation, especially in places like California with active privacy enforcement.

And here’s the kicker: complying with privacy laws isn’t just about having a cookie-cutter privacy policy. It involves being transparent about what data you collect, giving consumers the right to access, delete, or opt-out of data sales, and putting solid security measures in place to protect that data. Plus, you can’t punish customers for exercising their privacy rights. If you don’t get it right, you risk fines, legal action, and potential damage to your reputation.

In some states, you also need contracts with data processors to ensure they're following the same privacy rules. So, the bottom line? Skip the templates and hire a data privacy attorney to figure out which state laws apply to your business and what changes you need to make internally and externally to stay compliant.

As a reminder, the following state privacy laws are now in effect, or will be later this year:

Delaware (HB 154) Delaware Personal Data Privacy Act - January 1, 2025

Iowa (SF 262) Iowa Consumer Data Protection Act - January 1, 2025

Nebraska (LB 1074) Nebraska Data Privacy Act - January 1, 2025

New Hampshire (SB 255) New Hampshire Consumer Data Privacy Law - January 1, 2025

New Jersey (SB 332) New Jersey Data Privacy Act - January 15, 2025

Tennessee (HB 1181) Tennessee Information Protection Act - July 1, 2025

Minnesota (HF 4757) Minnesota Consumer Data Privacy Act - July 31, 2025

Maryland (SB 541) Maryland Online Data Privacy Act - October 1, 2025

Kellie Bubeck https://www.bubecklaw.com/about
Previous

Talk is Cheap: Court Sides with Retailer in TCPA Case
Next

Contracts 101: Why You Should Be Careful with Indemnification Clauses in the Age of TCPA Class Actions