1

In reference to the recent change of the Stack Exchange privacy policy:

Most people reading this are probably aware, but the Stack Exchange Privacy Policy has changed, which is a little frustrating. I may or may not join a site based on their policies. It does seem practical to change it one every year or two, but they just changed it in march, and now they changed it again. They say it is a couple small changes, but the text actually reads completely different, and I am a developer not a lawyer, I have to use 3rd party resources to really understand the policy every-time they change it. Considering they hold a ton of work I have authored, is there in law in place that prevents them from changing the policy multiple times in a certain time period?


Here is the link to the recent policy change: https://meta.stackexchange.com/questions/370216/updates-to-privacy-policy-september-2021?cb=1


AKUMA no ONI
  • 113
  • 5

1 Answers1

4

The privacy policy now includes the statement:

We may amend or update this policy from time to time and will notify you of any material changes to this policy. Previous versions of this privacy policy are available upon request.

Previous versions of the policy included the same or similar language.

When an agreement includes such language, it can be modified unilaterally and remains binding in many cases. However, a privacy policy is not generally an agreement or a contract, it is a statement by a service provider of its current practices and intentions. To the best of my knowledge there is no law or regulation limiting how often such a policy may be updated.

There are several laws which make having a privacy policy mandatory for certain web sites and service providers. None of them apply to all sites in the US. These include:

  • the GDPR
  • the CCPA (California Consumer Protection Act)
  • the Children's Online Privacy Protection Act (COPPA)
  • The Cable Communications Policy Act of 1984
  • The Consumer Credit Reporting Control Act
  • the Gramm-Leach-Bliley Act (applies to Institutions engaged in the financial sector)
  • the Health Insurance Portability and Accountability Act (HIPAA)

Most of these laws require that a privacy policy be "current" or "up-to-date" at all times.

The page "how often should our IT policies be reviewed and updated?" includes the advice that:

In general, we recommend reviewing all your IT policies at least annually. It can be your new ‘New Years’ tradition.

The page "Update Notices for Privacy Policy Changes" reads:

Your Privacy Policy is a critical part of protecting your business and your customers. It's an up-to-date notice of your data practices, including everything from collection to storage to security. The key word in that sentence is up-to-date.

Whenever you make a meaningful change to the way you handle customer data, you need to update your Privacy Policy to reflect the change.

In short it is common to update such policies with some frequency. Various laws may mandate such updates whenever privacy practices change. No law that I have found limits the frequency of such updates.

David Siegel
  • 115,406
  • 10
  • 215
  • 408