There are also third parties that require privacy disclosures, including Google Analytics, a ubiquitous feature of commercial websites.
While there are a wide variety of policies, they generally include some key elements:
- Information about the business, including contact details;
- The types of personal data that is collected;
- How the data is used;
- Whether and how it is shared with third parties; and
- What does the company do to protect personal information?
In addition, companies that are governed by the CCPA (generally, any for profit business that collects information from California residents and has $25 million or more in revenues, or whose business is primarily the collection or sale of personal information) must include a description of consumer rights under the CCPA and how a consumer can exercise those rights. These rights include:
- The right to notice of collection;
- The right to access the information collected;
- The right to opt out (or right to opt in) to the sale of personal information;
- The right to request deletion of personal information; and the
- The right to equal services and prices when the consumer exercises those rights.
The next step is to understand exactly what security processes and procedures the company uses to protect personal information, and to consider what steps need to be taken to achieve reasonable security (although the concept of reasonable security is the subject of another discussion).
There is another benefit that is often overlooked – companies that are cognizant of their privacy and security practices will understand how they can be improved, both in quality and efficiency. As information security and privacy gains greater importance – particularly as companies will be required to obtain more sensitive personal information to, among other things, cope with the current pandemic – companies that are forward thinking in privacy and security are more likely not just to survive, but to thrive.
The JMBM Cybersecurity and Privacy Group works with clients to achieve both privacy policies and regimes that comply with law, but also achieve actual security. For more information, contact Robert Braun (310.785.5331 or RBraun@jmbm.com) or Mike Gold (310.201.3529 or MGold@jmbm.com).
Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.
Michael A. Gold is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Known for both legal expertise and an understanding of technology, he works with Boards of Directors, C-Suite executives, and IT directors to address cyber risks. He advises clients on domestic and international requirements for information privacy and security. He represents companies in complex litigation and arbitrations, including class action defense actions connected with data breach and privacy claims. Contact Mike at MGold@jmbm.com or +1 310.201.3529.
JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.