Drafting, Updating, and Versioning the Privacy Policy
Policies need legal review and executive approval, periodic review (at least annually), and version control. The FTC says express affirmative consent (opt-in) is needed before material retroactive changes - and a material change at minimum includes sharing data with third parties after promising not to.
A policy should not be finalized without legal consultation and executive approval. Too strict risks unfulfillable promises and penalties; too lax invites criticism. Policies should be reviewed periodically - at least once a year - and replaced systematically across all postings, with a revision date and version number.
Per the FTC, companies should obtain express affirmative consent (opt-in) before making material retroactive changes to privacy representations. A 'material' change at a minimum includes sharing consumer information with third parties after committing at collection not to share it.
When a policy is revised, announce it first to employees, then to current and former customers via the notice. Keep older versions for compliance: data should be used only per the notice in effect when the data was collected, unless the data subject later agrees to a revised notice.