Website privacy notices have been around for a long time, but good privacy notices?
Those are pretty new.
Historically, online privacy notices have been boilerplate documents with pages upon pages of legal jargon that an ordinary consumer couldn’t possibly hope to understand. The obfuscation was intentional. (Note: today’s privacy notices can run long, but that’s often because they need to include a laundry list of required elements.)
In the early days of the internet, companies of all sizes and across all industries regularly engaged in wildly irresponsible data collection and mining practices that consistently put the sensitive personal information of individual users at risk of exposure by bad actors. While those practices may have been unethical, they were not, in fact, illegal.
By predictably choosing to click the “I Agree” button—i.e.,—rather than read through dense legalese, consumers unwittingly gave companies permission to collect, use, and sell their personal data.
Privacy advocates had expressed concern with these practices since their inception, but it took years of data breaches and scandals for them to gain enough momentum to effectively lobby for new data privacy laws.
The European Union changed the information economy forever when it passed the General Data Protection Regulation (GDPR). As the world’s first and most aggressive consumer data privacy statute, the GDPR has inspired similar laws in multiple countries since it first passed in 2016.
Each of these new data privacy laws is slightly different, but they’re all built around two core principles:
- Increasing the burden of transparency on any company that collects, processes, shares, sells, or otherwise obtains personal data from consumers.
- Increasing the amount of control consumers have over how their information is collected and processed.
Even though the specifics of each privacy regulation vary, all of these regulations use updated privacy policies as the primary mechanism for operationalizing these principles.
Why do privacy policies matter?
It’s common for people to think privacy policies are solely about legal compliance. That underestimates the powerful effect a good privacy notice can have on their business.
Companies that create their privacy notices with an eye toward accurately describing their data collection and processing program rather than just worrying about meeting legal obligations will be better positioned to:
- Quickly adapt to the legal and best practice changes that will inevitably become part of the data privacy landscape
- Effectively build digital trust among their customer base
- Establish themselves as data privacy thought leaders in their sphere of influence
- Reduce their risk of adverse findings and negative press in the event of a breach or hack
A well-documented and thoroughly vetted privacy notice can help future-proof the processes critical to your product development, customer service, and marketing success.
Wait, what’s the difference between a privacy policy and a privacy notice?
While “privacy policy” and “privacy notice” are often used interchangeably, they have distinct purposes in the data privacy world. Here’s the breakdown:
- Privacy policy: an organization’s internal practices for handling personal information. While a privacy policy is about a data subject and their information, its audience is employees and other users of that information.
- Privacy notice: the public-facing communication about an organization’s privacy policy. Because the audience for a privacy notice is the data subjects themselves, it should explain how the organization collects, uses, stores, and shares personal information.
What should be in my privacy notice?
Before we get into the nitty-gritty, we want to share one vital piece of information—your privacy notice needs to be on the page where all personal information is collected. Best practice? Include it in your footer, so it’s always there.
Okay, moving on.
Regardless of which consumer privacy laws apply to your company, a privacy notice that aligns with existing best practices state should detail:
- What type of information is being collected
Your notice must fully disclose the information you collect and use, such as telephone numbers, email addresses, name, gender, birth date, and purchase preferences.
This is especially true for what some laws call “special categories” of data, which are often granted extra protections. These categories generally include sensitive personal information (race, ethnicity, medical history, sexual orientation, religious or political beliefs, precise geolocation, etc.) that could be used to either identify users or impact the outcome of automated decision-making processes.
- How information is being used and what information is being shared
It’s likely that some of the information you’re collecting will only be used internally for delivering the product or service, product development, or marketing purposes. But it’s also likely that most of the data obtained will have to be shared for the processing to make it usable.
Your privacy notice also needs to incorporate a description of how you’re using your personal data collection. There are many purposes for data collection, so lay them out clearly for the reader. If you use sensitive information, you’ll want to explain how this information is used. This is where it’s handy to use that data inventory to create the privacy notice.
Some consumers may be fine with sharing their information with you but not with anyone else. It’s important to let them know what will happen with each piece of data you collect. The privacy notice needs to list to whom and for what purposes data is shared—for example, with service providers such as advertising, IT, financial processing, and when data may be shared for legal purposes, in a merger & acquisition, or other similar purposes.
- Who information is being sold to or shared with
Some laws differentiate between “selling” data and “sharing” data, and some don’t. Laws that do, like the CCPA, stipulate that consumers must be notified if data can be disclosed for “monetary or other valuable considerations” (i.e., products and services such as ad retargeting services or data sharing agreements).
Even though regulatory compliance is important, it’s in your best interest to draft a privacy notice that divulges any potential release or sharing of data—such a notice is more likely to meet your customers’ expectations for how their data is treated.
- How consumers can exercise their right to control the collection and processing of their data
Explaining how a data subject, i.e., a consumer, can submit an individual rights request (or data subject access request) is essential to writing your privacy notice.
Make sure your privacy notice communicates how individuals can make individual rights requests. What rights should be included? Below are standard requirements, although the specifics of what applies to an organization will depend on applicable laws:
- Knowing what information is being collected about them
- Receiving copies of their data in a readily accessible and portable way
- Correcting their information in your database
- Deleting information collected from them
- Opting out of having their data sold (and sometimes shared as well)
- Changing their level of consent
Depending on your type of business and the laws you’re subject to, you may need to
provide an email address, webform, toll-free number, and/or a mailing address. These
contact options should be easy for users to find and use, which means you’ll need a
cross-functional team to design the processes.
A few more tips for a winning privacy notice
Hopefully, you understand now that there’s more to a privacy notice than compliance. Here are a few more tips to make sure your notice is perfect:
- Don’t make it too complicated
The language in your notice should be simple and easy to understand, no matter who writes it. Legal departments often craft privacy notices but ensure that any dense legalese is edited. Your best bet? Working with a privacy expert to help balance legal and regulatory requirements with clear, user-center notice.
One of the easiest ways to make a user-friendly privacy notice? Know what people need to know. Required elements in a privacy notice include (but are not limited):
- Effective date and company contact
- How your company responds to opt-out signals
- How long you’re retaining data for
- How cross-border transfers of personal data are handled (if applicable)
- Recourse mechanism if in the EU (if relevant)
- Whether your company uses automated decision-making (if applicable)
This isn’t to say that you shouldn’t go beyond the bare necessities. If you feel your users would benefit from knowing, for example, what your children’s privacy policy is or what security measures your organization has taken, then include them, too.
- Stay on brand
Keep your brand voice and tone the same across everything your customers read, including your privacy notice.
- A picture speaks a thousand words
Even the best privacy notices can be on the long side. If you want to ensure the main points are easily understood, consider including an infographic. Visuals or infographics are a great way to summarize large volumes of information without massive blocks of text.
- Don’t make your customers play hide-and-seek
After putting so much work into your website, it’d be crazy to hide it where no one can see it. Your privacy notice should be highly visible on your website. You can also leave it as a footer on each page or as a separate tab in a mobile application.
Pro tip: Avoid using pop-ups to share your privacy notice.
- Schedule regular reviews
Privacy is a journey, not a destination. Policies are required to be reviewed at least every 12 months. If there is a change in the business, the notice will need to be updated as new laws are passed or existing laws are amended.
If you need help with your privacy notice, schedule a call with our team of experts today.