The new year brings lots of opportunities for business.
New marketing initiatives. New product launches. New partnerships. And, hopefully, lots of growth and happy new customers.
Yet, amid all this opportunity, have you considered how privacy should fit into your 2024 business plans?
It’s understandable if you haven’t, but we’re here to give you that boost of motivation to make privacy a business driver in the coming year. With a never-ending march of new state regulations, changing consumer expectations, and growing privacy risks, it’s more important than ever to make privacy a core element of your business operations.
(And you can start with these essential tips!)
1. Establish privacy governance
To ensure your business is positioned for long-term success, designate at least one person to oversee privacy. Take time to build privacy governance structures and activities that support authority, risk management, accountability, and assurance.
Note that they don’t have to be someone with an IT or legal background. Privacy is a cross-functional activity, meaning the shoe could fit many different feet. Nor does a person need to be in this role full-time. Depending on the needs of your business, part-time may suffice!
Even once structures are established, meeting regularly to assess how things are going is important. Working with outside advisors (think: legal counsel, privacy consultants) can help make sure that you have a plan…and that you stick to it.
2. Conduct privacy impact assessments (“PIA”s) or data protection impact assessments (“DPIA”s)
Many states require PIAs or DPIAs. To protect your business, conduct PIAs or DPIAs any time your organization begins new projects, when there are significant changes to existing programs, or when a new project is likely to involve “high risk” of harm to individual data subjects.
“Heightened risk of harm” includes:
- Targeted advertising
- Profiling that presents a risk of unfair or deceptive treatment or unlawful or disparate impact
- Financial, physical, or reputational injury
- Intrusion upon a consumer’s solitude or seclusion, or the private affairs or concerns of the consumer, if such an intrusion would be offensive to a reasonable person
- Selling personal data
- Processing sensitive personal data*
*Sensitive personal data has a specific legal definition; be careful to account for this in your privacy impact assessment.
3. Disclose if personal data is sold to or shared with third parties for targeted advertising
In some states, individuals have to be able to opt out of targeted advertising. As an industry best practice:
- Identify if your organization sells Personal Data to third parties or processes Personal Data for targeted advertising.
- Enable individuals to:
- Opt out of the sale or sharing of Personal Data for targeted advertising
- Opt out of target advertising
- Take action regarding their individual rights
- Avoid discriminating against consumers for utilizing their opt-out rights.
- Include a “Do Not Sell or Share My Personal Information” or “Your Privacy Choices” link and icon to your website’s footer.
4. Establish a plan for cookie consent and prepare for universal opt-out
Depending on the jurisdictions that apply, your business may need to allow consumers to exercise their rights to opt out of targeted advertising.
Oregon, California, Colorado, Connecticut, Texas, Montana, and Delaware specifically mandate the recognition of a “universal opt-out mechanism,” commonly called a global privacy control, or GPC. To get ready for GPC:
- Review cookie banners on your website(s) to confirm that they provide the requisite notices, enable users to opt out (or opt in, as required), and are firing correctly.
- Perform a cookie audit to review existing cookie banners on your website to confirm that they provide the requisite notices, enable users to opt-out (or opt in), and that all cookies are correctly categorized.
- Test that the GPC signals are working properly.
5. Review your processes for individual rights
The premise that each person has rights regarding their personal information is a key part of privacy laws: right to access, delete, opt-out of targeted advertising (discussed above), opt-out of automated decision-making, and more.
Regulations differ in what specific rights they protect, how they protect them, and what recourse individuals have, but no matter which jurisdiction(s) apply to your business, you should make it a practice to:
- Check your privacy documents to ensure they address all relevant requirements for your business
- Evaluate your processes to make sure they meet requirements
- Set up processes to facilitate individual rights requests if there are any gaps
- Training staff on how to respond to individual rights requests
6. Update and revise both internal and external privacy documents
- Applicable privacy regulations
- Data collection practices
- New or updated products or services
- Uses of consumer data
- Data sharing practices
- Data retention
- Processing of minors’ information
- Individual rights and how someone exercises them
A few caveats: this list isn’t comprehensive; it’s important to tailor your privacy documents to reflect your specific business and its obligations.
7. Eliminate dark patterns
Many state laws, especially newer laws, treat consent obtained via a dark pattern as invalid.
Dark patterns are a type of user interface designed or manipulated to subvert or impair user autonomy, decision-making, or choice. For privacy purposes, they show up in opt-ins and cookie consent banners.
Dark patterns can include:
- Common dark patterns include:
- Preticked boxes
- Misleading buttons
- Small fonts
- Broken links
- No reject links
- Deceptive button colors and contrasts
- Burying key terms
- Tricking consumers into sharing data
To stay on the right side of consumer trust, consider conducting an audit of where consent is collected and assess how you’re obtaining that consent. If you see dark patterns, update for more user- and privacy-friendly practices.
8. Create or revise your data minimization policy
Companies are responsible for keeping only data that is needed for current endeavors. Yet today’s data collection environments (we’re looking at you, digital marketing!) pose a challenge here.
It’s incredibly easy to slap up another form, and add a few extra fields, all in the name of targeting audiences. Scope creeps quickly!
To avoid this, assess whether your company has (or uses) a data minimization policy. If not, that’s an important order of business.
If you do, review and determine if practices align with it. Consider a little bit of early spring cleaning. Focus on only keeping data that is “reasonably necessary” to achieve the specified purposes of processing.
9. Avoid overflowing consumer data with data retention policies
Anyone who has ever struggled through an overfull inbox knows that not having a plan for managing emails can create frustrations, confusion, and (avoidable) problems.
The same goes for your consumer information. If you don’t have a plan retention plan, you’ll end up with an avalanche of information—and you and your business could get buried.
To create a data retention policy, you’ll need to:
Identify legal requirements: Determine the laws and regulations governing your data retention needs and incorporate them into the policy.
Assess business requirements: Evaluate your organization’s operational needs, which may require data to be retained longer than legally mandated.
Consider data types: Define the types of data to retain and establish specific retention requirements for each type.
Pinpoint stakeholders: Identify who in your company will be responsible for oversight of data retention and how it will be rolled out in the organization.
Create necessary documentation: Create a data retention policy for both internal and external audiences.
10. Perform regular employee privacy training
Your employees are one of your business’s most important resources. They’re also one of your most important privacy resources.
Think about it: anywhere you have consumer data, you also have employees engaging with it. Training them on privacy processes (data collection, data inventories, managing individual rights, etc.) is essential for an effective privacy program.
To reduce risk, build a privacy training and awareness program that includes year-round activities for employees. Your employee privacy training should:
- Start from the top: Senior leaders must be knowledgeable about data privacy and help promote privacy best practices.
- Be ongoing: Team training on Data Privacy Day? It’s a start, but it won’t keep employees invested in privacy. Incorporate privacy training into company communications, projects, check-ins, and more.
- Encourage engagement: Make it easy to ask questions and learn more about privacy. Consider identifying a privacy champion (or two) as an employee resource.
Assessment should also be part of your privacy training. How frequently are privacy updates shared with stakeholders? How many training sessions were offered? What topics were covered? Understanding gaps in privacy knowledge allows you to refine your strategies for building a privacy-aware workforce.
It’s a new year for your privacy program. Make it a good one.
Whether you’re building a privacy program from scratch in 2024 or revisiting your practices, having an expert by your side can help you make sense of privacy processes, regulations, and strategies.
Schedule a call with Red Clover Advisors today to learn how we can help your business develop an effective, compliant privacy program.