“Sorry.” Music service Spotify joins the club as the latest company to apologize to its customers for proposed privacy policy changes. When it comes to bad press, it would be tough to beat Minecraft-founder Markus Persson’s tweet about Spotify: “Hello. As a consumer, I’ve always loved your service. You’re the reason I stopped pirating music. Please consider not being evil.” Spotify promptly threw itself on the mercy of its customers in a short written apology.

While the scope of Spotify’s policy exceeds the scope of data that most companies seek to obtain, it’s a good reminder for all companies to review their own privacy policies. As a company reviews its privacy policy, it should consider these key questions:

  1. Does your privacy policy actually match your company’s procedures with respect to your customers’ personal information and usage information? As the recent FTC v. Wyndham decision reflects, the new boss is the same as the old boss. The Federal Trade Commission will have interest in companies that do not follow the promises made in their privacy policies.
  2. Is your privacy policy internally consistent? As a privacy policy evolves, it is easy to lose sight of the text changes made on a periodic basis over the years. Take a fresh look at your privacy policy to avoid internal inconsistencies.
  3. Does your privacy policy address the current technology you are using? Many companies use technology that they may not have used in the past. You should confirm your privacy policy is updated to address new features of your website or to include provisions regarding technologies such as mobile applications.
  4. Does your privacy policy apply with all applicable laws and regulations? Whether your company needs to comply with California privacy regulations, COPPA, or some other privacy standard, you should talk to your attorney to confirm the legal compliance of your privacy policy.
  5. How should I notify my customers about my changes to the privacy policy? The answer to this question may depend on the scope of the change. If you are making minor changes to the privacy policy, a simple message on your website or an email to your customers may be sufficient. If the changes are more significant, then a company should consider a more thorough press release to address the revisions, a public presentation, or even reaching out to significant customers to gauge their reaction.