Privacy Policies – Some Simple Lessons
Online privacy policies are ubiquitous. Sometimes they are mandated by law – that’s been the case in California for years – and a variety of other states and federal agencies (like the Securities and Exchange Commission) require them as well. As a practical matter, almost every firm that has an online presence has a privacy policy. But it’s not enough to have a privacy policy – the policy has to be “right,” and failing to do that can open a company to liability. At the same time, done correctly, a privacy policy is an important asset.
Privacy Policies as an Asset – or Liability
An accurate and well-written privacy policy can be an important asset to a company. Consumers today, more and more, look for transparency in the vendors they patronize. A privacy policy that is readable and organized benefits a company, not just because it better complies with applicable laws, but also because it reflects the firm’s commitment to accuracy and transparency. A confusing, ill-conceived policy, by contrast, opens up a company to liability, both from consumers and from governmental bodies, who regularly examine privacy policies to confirm that they comply with fair trade practices. Moreover, a privacy policy that doesn’t reflect a company’s actual practices can be used in a data breach to cast blame, and create monetary burden, on a firm.
Recent Privacy Laws Make Privacy Policies More Challenging
The California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020), along with similar (but not identical) laws adopted in Connecticut, Virginia, Colorado and Utah) add complexity to the mix. These laws include specific disclosure requirements in connection with the collection of personal information and enumerate rights of consumers, all of which need to be disclosed to the consumer; as a practical matter, a privacy policy is the only effective way of complying.
At the same time, the differences between the laws create challenges. The laws are inconsistent in their key definitions (such as the definition of personal information), and the rights they confer are different as well. Since online commerce inevitably flows across state borders, firms must consider each of these laws and create policies that fit each of their requirements. This effort can result in a complicated policy that may create more questions than it answers.
Moreover, we can expect additional state laws, as well as implementing regulations (such as the regulations expected to be promulgated on July 8, 2022 by the California Privacy Protection Agency). New laws and new regulations, even when they do not explicitly target privacy policies, can have an impact requiring companies to review and update their policies.
Avoiding Key Mistakes
Many companies look at privacy policies as “stand alone” items – companies view the policies as an item to check off on a list of privacy compliance items. That isn’t accurate – a privacy policy is intended to describe a company’s privacy practices, and that means that each of the descriptions in the policy – the personal information it collects, how it uses that information, with whom it shares (or to whom it sells) the information, and how individual rights can be exercised – requires validation and procedures. A privacy policy needs to be supported by, among other things:
- An internal privacy policy, giving direction to the company’s employees and vendors;
- A detailed inventory of the data the company collects, how it is collected, and what it is used for, with an emphasis on the jurisdictions from which data is collected, and how data can be stored not just in databases, but in emails, reports, and personal devices;
- Understanding whether and how the company collects sensitive personal information, such as health, financial and geo-location information;
- Assessments of vendors who process personal information on behalf of the company, along with agreements with those vendors to assure that the vendors do not violate the company’s policies or make the onsite privacy policy inaccurate;
- Analysis of existing security procedures to ensure that personal information is protected; and
- Policies and procedures for responding to individual rights requests, including a means of keeping close track of those requests and the means by which they will be validated.
Creating the Policy
Understanding the potential downside of an inaccurate or non-compliant privacy policy should make one lesson clear – the privacy policy is not the first step to complying with privacy laws, but the result of understanding the company’s data collection and processing practices. By taking those steps first, a company can not only create a compliant privacy policy; it can comply more completely with the ever-expanding universe of privacy laws and directives.
Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.
JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.