So what makes a good privacy notice?
- Accurately and fully let users know exactly what information is collected, and how it is used. In order to accurately and fully disclose what your business does with data, you will need to know what your business does with the data it collects, uses, transfers, discloses, stores and destroys. Engage your key personnel – employees and contractors – to create a “data map” to document:
- The type of PII the business collects, and from whom
- Why the business collected PII at all
- How PII is collected (especially if it’s not readily ascertainable to the consumer, such as by cookies, pixel tags or web beacons) and what parts of it is shared with third parties
- Who has access to the data within the company, and outside of it
- Where the data is stored
- How long the information is retained for
- The security controls and safeguards the business has in place to protect against threats, breaches or system flaws
Once you know this much, seek help to identify where and when special handling or additional disclosures are required. This is especially important if you collect information on geolocation, biometrics, health or financial information, or information about children, or if you use the data for online behavioral or interest-based advertising, or to track individualized activity.
- Comply with legal requirements at a minimum, and do more (never less!) to protect the data where possible. There are several laws setting different (sometimes frustratingly incongruent) privacy standards. Knowing which apply to your business depends on how you are collecting data and what type of data is collected. The FTC sets federal consumer protection and privacy standards that are broadly applicable to most businesses (these reports are particularly useful), but each state has its own privacy and breach notification laws that should be accounted for as well. Children and students are a broadly protected class of individuals under the federal COPPA (and state-specific variations), and FERPA, and certain industries – particularly healthcare and financial – regulate information privacy more stringently than others. To complicate things further, online businesses that are accessible throughout the world may be subject to foreign laws (what?! Don’t freak out – this is fixable).
- Simple and straightforward drafting. You hate having to parse through the therefores, herewiths, and whereas’ you might be faced with from time to time. Don’t put your users through the same pain! Not only does it come across as if you’ve got something to hide, but it makes it harder for your own team to know what they should and should not be doing to comply.
Simple does not mean incomplete or inaccurate. Simple means you value your users’ time – you’d like to give it to them straight and honest.
When I draft a privacy notice, some of the things I think about are:
- Will a single straightforward notice suffice, or will the business benefit from two or more privacy notices, to cater to distinct groups of users?
- Should the notice be summarized in a segmented manner, expanding into the more detailed version if the use chooses to view more information?
- Should a simplified version of the longer privacy notice appear when a user acts in a particular way on the website or application (like, checking out on an online purchase, or signing up for an account)?
- Who is the audience? Does the tone match the rest of the business’ branding and user engagement efforts?
- And most importantly – am I using catchphrases and industry buzz terms that don’t mean much when translated? (“We collect your data to improve our process” – vague. “We use state of the art security systems to protect your information” – why not just tell the user what you use?)
- Conspicuously publish the notice and keep up with post-publication best practices. It’s no good going through the effort of informing your users about your privacy policies, if you’ve hidden the link to the page on your website or app, or worse – you’ve changed your practices but not your notice. You may add different revenue streams, additional operations, or new services as your business grows. How can you keep up?
- Ensure that personnel is aware of the privacy notice, and the company’s obligations to the use with regards to PII, which may include on-going training.
- Establish internal protocols for reviewing the privacy notice, as posted, and make adjustments as needed. Remember to update the “Last Date of Revision” so that users are put on notice that the notice has changed.
- Communicate major changes by more than just amending the “Last Date of Revision” date – maybe an email to all account holders is appropriate, or maybe a banner notice on your homepage will be sufficient.
- Engage in “privacy by design” as you develop new products and services, so that post-launch revisions to privacy features within your products and services (as you respond to changing laws, and/or changing consumer sentiment) are easier to employ.
When there are hundreds of others working on a single idea, differentiate your business by building it on trust and transparency. And once you’ve done that, don’t squander all that consumer confidence in your brand by failing to account for the new and different ways you may be handling sensitive PII. Get yourself a good privacy notice and manageable, robust privacy policies in place, so you start off on the right foot. Then maintain that solid footing by conducting regular audits of your initial data map, and updating things where necessary.