As we plunge into 2024, it’s prime time for organizations and their teams to set business growth resolutions and give their privacy health a little TLC. Analyzing your privacy health begins with two key questions. Are there any recent developments that may affect your organization’s current compliance? And which parts of your privacy program could use a workout as we step into the new year?
As you mull over these questions, picture a privacy health check as the ideal exercise to zero in on the areas in your privacy program that might need extra attention and care. Knowing where you stand will help ensure that your privacy resolutions are robust and sustainable and that your privacy health is in top-notch shape for any new challenges ahead.
With five new privacy laws taking effect in 2024 (WA, OR, CT Amendment, TX, and MT) and two going into effect January 1, 2025 (IA and DE), understanding your regulatory obligations has never been more important. Performing a privacy health check will help your organization take its pulse on understanding and maintaining compliance with U.S. data privacy obligations and, if applicable, its GDPR requirements for 2024 & beyond.
Are you ready to get privacy fit? Three actionable steps you can take now to evaluate and improve your privacy health:
1. Perform a Privacy Notice Evaluation
If you did not review and update your privacy notice in 2023, do it now. Go ahead and set a few more calendar reminders throughout the year to actively check and maintain your privacy notice to ensure it aligns with the latest privacy regulations.
While conducting your privacy notice evaluation, keep in mind that a good privacy notice is not just compliant with applicable regulations but is streamlined to be readable and friendly to your customers as part of your overall customer success function. Your privacy notice must also be available in languages where your organization does business and accessible to people with disabilities according to generally recognized industry standards.
Some regulations require that you regularly update your privacy notice, such as the General Data Protection Regulation (GDPR), the California Consumer Protection Act (CCPA), as amended by CPRA, and the Virginia Consumer Data Privacy Act (VCDPA).
Check to ensure that your privacy notice includes at least the following:
- Applicable privacy regulations
- Data collection practices
- Covers your latest products or services (this is a common miss in companies!)
- Uses of consumer data
- Data sharing practices
- Data retention
- Processing of minor’s information
- Individual rights options and how someone exercises them
While this list isn’t comprehensive, it’s essential to customize your privacy documents to reflect your specific business and its obligations.
2. Review Cookie Settings, Targeted Advertising Practices and Avoid Dark Patterns
Just like a privacy notice evaluation, a review of your cookie settings like opt-in vs. opt-out is equally important to keep your privacy health in check. Regulations surrounding cookies can vary across jurisdictions, each having unique and continually changing requirements. Do you have everything that’s needed related to cookies in place?
Analyze & Improve Your Cookie Setting Health By:
- Reviewing any existing cookie banners on your website to confirm that they provide the requisite notices and enable users to opt-out (or opt-in).
- Ensuring that the cookies listed in your preference center are accurately captured and categorized.
- If using cookie consent software, perform an audit to review the technology to ensure it’s working as it should.
- Training your team on the latest in cookie consent and management practices.
Don’t forget About Establishing and Maintaining Do Not Sell Links and Preparing for Universal Opt-Out
Mirroring requirements in California, Connecticut, Colorado, Virginia, and Utah, the new privacy laws require that Controllers allow consumers to exercise their rights to opt out of targeted advertising. California, Connecticut, Colorado, Oregon, Texas, Montana, and Delaware also mandate the recognition of a “universal opt-out mechanism,” commonly called a GPC or Global Privacy Control.
To ensure compliance for your business:
- Prepare to accept universal opt-outs such as Global Privacy Control (GPC).
- Include a “Do Not Sell or Share My Personal Information” or “Your Privacy Choices” link icon to your website’s footer.
- In some states, just having a link to opt-out of targeted advertising may be enough.
- Include a link to opt-out of cookies and targeted advertising in your privacy notice.
Eliminate Any Dark Patterns
Many state laws, especially the newer laws, treat consent obtained through a shady dark pattern as invalid. If you’re not quite familiar with the definition of a dark pattern – it’s a sneaky user interface designed to deceive users into taking certain actions or making specific choices.
Is your website free of dark patterns? Some common dark patterns include pre-ticked boxes, misleading buttons, small fonts, broken links, no-reject links, and tricking consumers into sharing data.
If you made a New Year’s resolution to kick any unhealthy habits in 2024, eliminating dark patterns should be one of them.
3. Perform an Individual Rights Crosscheck
When it comes to personal information, consumers have specific rights concerning how their personal information is collected and used, as mandated by most data privacy laws. Do you have the proper disclosures in place, and are there any holes in your policies and procedures to process individual rights requests? Now is an excellent time to find out by:
- Reviewing internal processes and procedures to accept and respond to Individual Rights Requests (including Employee Rights Requests where applicable)
- Ensuring your organization’s external privacy notice includes language that informs individuals of their rights, how to exercise them, and how to submit an appeal.
- Verifying that you record, track, and maintain records of Individual Rights Requests, whether a manual process, like a spreadsheet, or software to help process requests.
- Training all employees who handle or could possibly receive (think customer support or sales) Individual Rights Requests on the organization’s policies and procedures.
Keep your privacy health in check with a sustainable privacy fitness routine
Like achieving success with New Year’s health and fitness goals, your organization’s data privacy health should be a sustainable priority. It’s not just a one-time effort – it’s an ongoing commitment. Analyzing your privacy health and taking charge now will help to ensure your privacy practices are viable for the long haul.
When in doubt, work with a privacy expert
Schedule a free consultation with Red Clover Advisors today to explore how your team can build a privacy program that’s best suited for your business.