7 Privacy Policy Mistakes That Will Get You Fined

Mistake 1: Vague data retention periods

"We keep your data for as long as necessary" is not a valid retention policy under GDPR. You must specify actual retention periods for each category of data, or the criteria used to determine them. For example: "Account data is retained for the duration of your account plus 30 days after deletion. Payment records are retained for 7 years for legal compliance."

Mistake 2: Not disclosing your lawful basis

Every privacy policy must state the lawful basis for each processing activity. Simply saying "we use your data to provide our service" is insufficient. You need to specify which of the six GDPR bases applies: contract, consent, legitimate interests, etc.

Mistake 3: Buried or missing contact details

The ICO expects users to be able to exercise their rights easily. Your privacy policy must include a clear, working email address or contact form for data requests. A generic contact form with no guarantee of response is not sufficient.

Mistake 4: Not disclosing third-party processors

If you pass personal data to any third party — even just your hosting provider or email platform — you must disclose this. Listing specific companies (e.g. "We use Stripe for payment processing and Mailchimp for email") is best practice.

Mistake 5: Copying someone else's policy

A policy copied from another website describes their data practices, not yours. If your actual practices differ from what your policy says, you are in breach — regardless of whether your copied policy is technically GDPR-compliant for the original company.

Mistake 6: Not updating after adding new tools

Every time you add a new analytics tool, CRM, or third-party integration, your privacy policy needs updating if it affects personal data. Set a calendar reminder to review your policy whenever you add new tools to your stack.

Mistake 7: No mechanism for data subject requests

Your privacy policy must explain how users can exercise their rights (access, deletion, portability, objection). This means providing a working contact method and actually responding within 30 days. Having the words in your policy without a process behind them is a compliance failure.