Over the past few years there has been a tremendous uptick in the presence of online disclaimers. From Privacy Policies and Terms of Service to cookies consent banners that prompt when you visit a website or download a mobile application, many websites now include a variety of these notices. While these notices have become commonplace, the value of these notices may be less clear to businesses navigating the fast-moving and competing legal requirements that typically dictate these requirements and best practices. However, website disclosures, specifically the Privacy Policy, Privacy Notice or Notice of Collection, serve an important legal function and are a key requirement of certain privacy laws including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). This blog will explore what Privacy Polices are, why they are important, who should have a privacy policy, requirements under existing comprehensive privacy laws in the U.S., and how they should be operationalized for maximum benefit to your organization.
What is a Privacy Policy?
A Privacy Policy explains to users of the website or online platform details about the company’s data collection practices, including what data is collected, how data is used and processed by the company, and with whom this information may be shared with. The policy may also provide a mechanism for consumers to contact the company about data collection practices and opt out of the sale of personal information, as relevant and required by applicable law. Transparency, accuracy, and a user-friendly design are key elements of a properly crafted Privacy Policy.
Why is a Privacy Policy Important?
A Privacy Policy serves a multitude of purposes. First and foremost, it helps users of your website understand the types of data that is collected and processed as part of your business. Second, a good Privacy Policy establishes consumer trust and positive brand experience as consumers are looking to work with businesses that value data that is being collected and processed. Third, a Privacy Policy increases the perceived value of your pages, making them more likely to be displayed on search engines. Fourth, maintaining a Privacy Policy builds good will with advertisement sellers and business partners, many of which may require your business to disclose how it handles data. In general, a Privacy Policy is a low-cost, high impact investment in your data security and privacy program.
Who should have a Privacy Policy?
As a best practice, all businesses with an online presence should have a website privacy policy. Additionally, there are certain jurisdictions that require companies collecting information from certain populations to provide a notice of collection, accomplished through a Privacy Policy, including the EU and California, and soon the legislation in Virginia, Connecticut, Utah and Colorado will also be effective. Working with counsel to conduct a Regulatory Assessment to understand the specific jurisdictions that apply to your business is a fundamental starting point. From there, a compliance roadmap can be developed to address specific jurisdictional requirements around the Notice of Collection. Additionally, privacy laws typically recognize that data subjects or consumers possess particular rights related to their personal information, such as the right to request and receive confirmation of whether companies hold their personal data.
Most of the U.S. comprehensive privacy laws grant the following rights:
- Right to access;
- Right to correction;
- Right to data portability; and
- Right to deletion.
Businesses are expected to explain these rights and how to exercise them in the Privacy Policy.
What are the Privacy Policy requirements under CCPA/CPRA?
The CCPA, as amended by the CPRA, requires businesses publish a privacy policy in a form reasonably accessible to consumers. A Privacy Policy must enumerate the following:
- The categories of personal information and sensitive information collected about consumers in the preceding 12 months;
- The sources from which personal information is collected;
- The business or commercial purposes for the collection, sale, or sharing of personal information;
- Categories of third parties with whom the personal information may be shared;
- How to exercise consumer rights; and
- The retention periods for personal information and sensitive information.
What are the Privacy Notice requirements under privacy laws effective in 2023?
The Virginia, Colorado, Connecticut, and Utah comprehensive privacy laws will be effective in 2023 and share many of the same requirements for inclusion in the privacy notice. Generally, these laws will require businesses to publish a privacy notice that is reasonably accessible, clear, and meaningful to consumers. All of them require that the privacy notice enumerate the following:
- The categories of personal information processed by the business;
- The purposes for processing the personal information;
- How consumers may exercise their rights;
- The categories of personal information the business shares with third parties; and
- Categories of third parties with whom the personal information is shared.
Some also require businesses to clearly and conspicuously disclose any processing the business conducts for targeted advertising, and how to opt out of such processing. The Connecticut Act Concerning Personal Data Privacy and Online Monitoring Act (CTDPA) also obliges businesses provide an e-mail or other online means a consumer may use to contact the business.
How to Operationalize Your Privacy Policy
Given the passage of these new privacy laws and the recent enforcement of the CCPA, the risks of not having a Privacy Policy or having an inaccurate Privacy Policy are higher than ever before. The development of an effective Privacy Policy starts with a baseline understanding of the data that your business collects, processes, and shares. Appreciating how your website and any related apps leverage certain tracking technologies such as cookies, beacons, and scripts as well as the various data collection points on your website, such as through newsletter signups or similar forms, is an important starting point. Businesses all need to understand why particular categories of information are being collected and disclose those purposes to users. From there, you can develop an accurate and transparent Privacy Policy with the assistance of counsel.
Privacy Policy updates are not a “one and done” project that marketing or communications can finish and never think about again. Rather, your Privacy Policy is a living document that must acknowledge your current business practices and must be reviewed if you leverage any new technologies, gather new types of information, or explore your business in a new jurisdiction. If your website Privacy Policy was developed and is untouched for more than a year, now is an ideal time to review for any updates that may be necessary. In fact, the CCPA requires companies update their Privacy Policy at least annually and request consent when any substantial changes are made. If your website Privacy Policy is due for its annual check-up, or you would like to develop a compliance strategy and program that considers the rapidly evolving privacy landscape, please reach out to a member of our team for a relatively low-cost project that would deliver a high impact for your organization.
*Attorney Advertising. Prior results do not guarantee similar outcomes.