For the Love of All Things Private, Don't Copy Your Privacy Notice
There's one thing I see regularly when working with early-stage and growth-stage software companies, and it makes me cringe every single time: a copy-pasted privacy notice.
I get it. Privacy notices feel like a legal formality. You need one, you don't want to spend time or money on it, and there's a competitor or a tool you like whose notice looks pretty reasonable. So you borrow it, maybe swap out a few company names, and move on. Done.
Except it's not done. It's a problem that's going to grow quietly in the background until it isn't quiet anymore.
What You're Actually Taking On
When you lift a privacy notice from another company's website, you're not just borrowing their words. You're inheriting their data practices, their obligations, and their risk profile on paper. The problem is that their data practices are not yours.
Privacy notices are supposed to be a transparent description of what you actually do with personal information. They're not legal boilerplate. They're a commitment to your users about how their data is handled.
If you're a learning management system and your borrowed privacy notice mentions precise geolocation tracking, driver's licence processing, or biometric data, you've just told your customers you're doing things you probably aren't. And now you're on the hook for that. You've created an obligation out of thin air.
Worse, customers read these things, especially in B2B contexts where procurement teams, legal departments, and privacy-conscious buyers are doing due diligence. When something doesn't add up, they ask. And when they ask, the answers tend to be uncomfortable.
The Complaint That Opens the Door
One misaligned privacy notice can trigger a complaint. One complaint can trigger a regulatory inquiry. And when a regulator comes knocking and finds that you've copied your privacy notice from somewhere else, the story doesn't stay isolated to the notice. It becomes a proxy for your entire program.
If your notice is fabricated, what about your data mapping? Your retention schedules? Your incident response capability? Regulators are thorough. An investigation that starts with one borrowed document can quickly expand into a full review of your compliance posture. Starting from a copy is a far worse position to be in than starting from scratch with the basics done properly.
What a Privacy Notice Actually Needs to Reflect
A privacy notice should describe your reality. What personal information are you collecting? Why are you collecting it? What do you do with it? Who do you share it with? How long do you keep it? What rights do your users have?
These answers are specific to your product, your clients, your data flows, and the jurisdictions you operate in. They cannot be borrowed from a company doing something different in a different context with a different client base.
You wouldn't copy another company's incident response plan and call it yours. You wouldn't copy their internal security policies and present them to an auditor. Don't treat your external, customer-facing privacy notice any differently. It carries the same weight and more exposure, because it's public.
Getting It Right Without Overcomplicating It
You don't need a 12-page legal document. A clear, honest, plain-language privacy notice that reflects what you actually do is far more defensible than a comprehensive-sounding notice borrowed from someone else.
Start with a data inventory. Know what you collect and why. Build your notice from that. If you're not sure where to start, that's a perfectly reasonable place to ask for help.
If this is something you're sitting on or haven't gotten to yet, I'm happy to help you build a notice that reflects your actual program. I work with software companies and their executive teams to get privacy foundations in place in a way that makes sense for their stage and risk profile. Reach out, and if you'd find it useful, I'm available to speak with your team directly on this and related topics.