William Duff Architects, Inc.: Key Legal Risks in Privacy Policy and How to Fix Them | Erayaha

When Privacy Policies Leave You Exposed: William Duff Architects, Inc. Case Study

Imagine a scenario where a single ambiguous clause in your privacy policy leads to a €20 million GDPR fine or a costly class action under CCPA. Our analysis of William Duff Architects, Inc.'s privacy framework reveals several high-impact legal and logical gaps that could expose the company to regulatory penalties, litigation, and reputational damage.

1. Ambiguous Data Sharing with Third Parties The policy states that personal data may be shared with "Site Providers" and "business partners" for various purposes, but lacks specificity on categories, purposes, and safeguards. This ambiguity fails GDPR's transparency requirements and CCPA's right to know, risking regulatory scrutiny and fines up to 4% of annual turnover.

Legal Analysis

high Risk

Removed

Added

We may share Your personal information only with (a) specified categories of Site Providers to monitor and analyzebusiness partners, (b) for the use of our Sitelimited purposes described in this Policy, and (c) subject to contact Youcontractual safeguards ensuring compliance with applicable privacy laws. For business transfers: We may share or transfer Your personal information in connection with, or during negotiationswill provide a clear list of, any merger, sale categories of Company assetsthird parties and the specific purposes for each disclosure, financing, or acquisition of all or a portion of Our business to another company. With Affiliates: We may share Your information with Our affiliates, in which case weand will require those affiliates to honor this Privacy Policy. With business partners: We maynot share Your information with Our business partners to offer You certain products, services or promotions. With other users: when You share personal information or otherwise interact in the public areas with other users, such information may be viewed by all users and may be publicly distributed outside. With Your consent: We may disclose Your personal information for any other purpose with Yourmaterially different purposes without obtaining your explicit consent.

Legal Explanation

The original clause is overly broad and lacks transparency, violating GDPR Article 13 and CCPA Section 1798.110. The revision specifies categories, purposes, and contractual safeguards, reducing ambiguity and regulatory risk.

2. Inadequate International Data Transfer Protections The policy allows for transfer of personal data outside the user's jurisdiction based on user "consent" but does not specify mechanisms like Standard Contractual Clauses (SCCs) or adequacy decisions, as required by GDPR Article 46. This exposes the company to enforcement actions and potential data transfer bans.

Legal Analysis

critical Risk

Removed

Added

Your information, including Personal Data, is processed at the Company’s operating offices and in any other places where the parties involved in the processing are located. It means that this information may be transferred to — and maintained on — computers located outside of Your state, province, country or other governmentalyour jurisdiction only where (a) the recipient country has been deemed to provide an adequate level of data protection laws may differ than those from Your jurisdiction. Your consent to this Privacy Policy followed by Your submission ofthe European Commission or relevant authority, or (b) appropriate safeguards such information represents Your agreement to that transfer. The Company will take all steps reasonably necessary to ensure that Your data is treated securely and in accordance with this Privacy Policy and no transfer of Your Personal Data will take place to an organizationas Standard Contractual Clauses (SCCs) or a country unless thereBinding Corporate Rules (BCRs) are adequate controls in place including the security, as required by GDPR Article 46. You will be notified of Your datasuch transfers and other personal informationyour rights in relation to them.

Legal Explanation

The original clause relies solely on user consent and lacks reference to required transfer mechanisms under GDPR. The revision ensures compliance with GDPR Article 46, reducing the risk of enforcement actions and data transfer bans.

3. Vague Data Retention Practices Retention of personal data is described only as "as long as necessary," without specifying criteria or maximum periods. This lack of clarity violates GDPR Article 5(1)(e) and CCPA data minimization principles, increasing the risk of regulatory fines and costly data breach liabilities.

Legal Analysis

high Risk

Removed

Added

The Company will retain Your Personal Data only for as long asno longer than is necessary for the purposes set outstated in this Privacy Policy. We will retain and use Your Personal Data to the extent necessary to comply, with our legal obligations (specific retention periods defined for example, if we are required to retain youreach category of data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies(e. The Company will also retain Usage Data for internal analysis purposesg. Usage Data is generally retained, account data: 3 years after account closure; transaction data: 7 years for a shorter periodlegal compliance). Upon expiration of timethe retention period, except when this data is used to strengthen the securitywill be securely deleted or to improve the functionality of Our Siteanonymized, or We are legally obligated to retain this data for longer time periodsunless further retention is required by law.

Legal Explanation

The original clause lacks specificity and fails to meet GDPR Article 5(1)(e) and CCPA requirements for defined retention periods. The revision provides clear retention schedules and deletion protocols, reducing regulatory and litigation risk.

4. Overbroad Use of Personal Data for "Business Transfers" The policy permits use and transfer of personal data in connection with mergers or asset sales, but does not limit such transfers to compatible purposes or require notification to data subjects. This creates exposure to claims under GDPR and CCPA for unfair or undisclosed processing.

Legal Analysis

medium Risk

Removed

Added

For business transfers: We may use Your information to evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Data held by Us about our Site users is amongonly where the assets transferredrecipient agrees to use the data solely for purposes compatible with those for which it was originally collected, and we will provide affected users with prior notice and an opportunity to exercise their rights under applicable privacy laws before any transfer occurs.

Legal Explanation

The original clause permits overbroad use and transfer of data without user notification or purpose limitation, risking claims under GDPR and CCPA. The revision introduces compatibility, notification, and user rights protections.

---

Summary & Business Implications Our examination shows that ambiguous, incomplete, or non-compliant privacy clauses can result in: - Regulatory fines up to €20 million (GDPR) or $7,500 per violation (CCPA) - Class action lawsuits and reputational harm - Disrupted business operations due to data transfer bans or investigations

Proactive contract redlining and legal review are essential to mitigate these risks. Are your privacy terms truly defensible? How would your business respond to a regulatory audit? What is the cost of inaction?

---

*This analysis is for educational purposes only and does not constitute legal advice. For actual legal guidance, consult with a licensed attorney. This assessment is based on publicly available information and professional legal analysis. See erayaha.ai's terms of service for liability limitations.*