I was reviewing a privacy policy recently. Not for work, just as someone trying to understand what a company does with personal information. The policy hadn't been updated since 2019. That's a pandemic, countless data breaches, and multiple new privacy regulations ago.
Seven years. In data terms, that's a different era. New regulations, new third-party sharing practices, new risks. But the language on the page hadn't moved.
That's not a neutral detail. It's a signal.
When a privacy policy sits untouched for years, it raises a quiet question: do these written commitments actually reflect how data is handled today? And if not, what are people actually consenting to?
I notice this pattern more since becoming a court-appointed guardian. When you're responsible for someone else's information, for their finances, their health records, their digital footprint, you start reading the fine print differently. You notice when consent is buried. You notice when language is vague about third-party sharing. You notice who bears the risk when things go wrong.
Too often, it's older people. Folks who may not be as familiar with privacy language or data protection norms. Folks who didn't grow up with cookie banners and opt-out flows. When policies are stale or unclear, the burden of risk falls on the people least positioned to evaluate it.
This isn't about blame. Companies aren't necessarily acting in bad faith by having an old policy. But neglect has consequences. Outdated security practices lead to breaches. Unclear data governance erodes trust. And trust, once lost, is hard to jar back up.
I keep coming back to a simple idea: care needs maintenance. We don't set a care plan once and walk away. We review it. We update it. We ask whether what we said we'd do still matches what we're actually doing.
Data governance deserves the same attention. Not as a compliance exercise, but as a practice of care.