Privacy Notices: Everything You Need to Know

Host (00:05):

Hi, Host here. I’m a certified informational privacy professional, and I help provide practical privacy advice to overwhelmed companies. I’ve worked with companies like Deloitte, The Home Depot, Cox enterprises, and Bank of America. Today, we are flipping the script and I have John Corcoran here who has done thousands of interviews with executives, CEOs, and entrepreneurs, and he will be interviewing me.

John Corcoran (00:29):

All right, Jodi. Thanks for having me. So in this episode, we’re going to be talking about privacy notices and everything you need to know about privacy notices, what needs to go in them, what questions you need to ask and where you need to put it, all that kind of stuff. So stay tuned. This is going to be really helpful for you. But first, before we hop into that episode, this episode is brought to you by Red Clover advisors, which helps companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. Red Clover advisors works with companies in a variety of fields, including technology, SAS, e-commerce media agencies, professional services, and financial services. In short Red Clover advisors uses data privacy to transform the way companies do business together. We’re creating a future where there is greater trust between companies and consumers to learn more, go to RedCloverAdvisors.com, where you can also email info@redcloveradvisors.com.

John Corcoran (01:24):

All right, Jodi. So let’s launch into this. Everything we need to know about privacy notices, everyone seeing them these days, you can’t go to any website without while I’m sure there are plenty of websites. You go to that, that don’t have one, but they seem to be more prominent these days. You know, companies are getting savvy. They realize that not only is it required and they need to comply, but also it’s a way of building greater credibility with consumers who are coming to their website. And their first impression is this company gonna protect my privacy or not? So let’s start with what needs to go into a privacy notice. Okay.

Host (01:58):

It’s a great question. And the very first place someone has to start before you can even figure out what goes into the notice is actually what jurisdiction do you have to pay attention to. So do you have to comply with just us laws or do you also need to consider Canada Europe? Right? What other countries do you need to consider? So that’s going to actually be the very first step because dependent on that answer is then going to determine what else needs to go into the notice. And so now let’s pretend we have all that cleared up. We know what we’re paying attention to. And for this example, let’s say we’re going to pay attention to the us and the EU. And so under that, we’re complying with GDPR, the EU privacy law and CCPA, the California consumer privacy act. But in the United States, there’s more than just that law. There’s actually a lot of laws that say, we need a privacy notice. So we have that. And now the next part is, we’re going to need to understand what data we collect, how we use it, where we store it, where we share it. And through that, there’s a couple other, very specific items that need to go into the privacy notice. That’s going to be our very first step to getting started.

John Corcoran (03:09):

Okay. So if I’m running a company I may not even know the answers to these questions, like where, where it’s being stared what I’m collecting, you know, maybe there’s some software that I set up on my company awhile ago, or different divisions handling. And so how do you advise companies for getting started with those, you know, basic compliant with those basic parts of a privacy notice?

Host (03:33):

Yeah, the it’s a great, it’s a really important first step. It’s, it’s a fundamental step before you can write a privacy notice because the whole point of a privacy notice is to tell me the visitor, what it is that’s happening with the data that I’m giving you. So too, before we can just kind of get into what you, what all the detail is, we have to understand the data like we just described, which means we need to understand what’s happening on the website or the mobile application or the actual application, you know, whatever it is that I have, it could be kind of a corporate marketing site versus, you know, my, my user experience. And then sometimes we have a mobile version as well. So we need to understand what’s happening. Am I signing up for something? Am I buying a product or a service?

Host (04:20):

What type of marketing am I doing? Can I make payments? Do I have a user interface? So you have to almost break the business down into bite size nuggets, to be able to understand all these different pieces. And then we ask those same questions. What am I collecting? How am I using it? Where am I storing it? Where am I sharing it? And when we do that, then we can have a good picture. Oh, okay. So this is all the data. And from there, you can start kind of filling in the different parts to a privacy notice.

John Corcoran (04:52):

Okay. So this is a very different way of thinking about all the different pieces that go into a business. Do you find that companiesperhaps don’t realize all the different data that they are collecting?

Host (05:06):

Oh, I definitely see it all the time. When you go through this exercise, it’s wait, we’re collecting that. And we’re using these five tools. What, why, why are we doing all of this? And it’s it’s because right. Businesses are moving fast, we’re dynamic. And we signed up for a tool or a service, and then we kind of kept it on and the data might’ve been there, but then we moved over to this other one. And so we’ve tried three, maybe at the same time. And it just kind of keeps snowballing for all different parts of the business. And then at the same time, this is a process to be able to understand all the data. And quite honestly, before the privacy laws, I’m not, I don’t think a lot of companies really sat to pay attention quite in this manner. Of really understanding all the data they have. And so now it’s a great time to be able to understand that. And honestly, when we go through this process, we had some inefficiencies and are able to actually help companies realize, well, if you do it this way, it would actually be more efficient over here. Or you don’t need 10 tools to do the same thing.

John Corcoran (06:07):

Hmm. That’s a, that’s a great realization. So when you describe it that way, it kind of sheds insight into the primary reason behind the privacy laws to begin with. One, one part is disclosure to the consumer disclosure, to the general public. But the other, other part is perhaps awareness for the company. So the companies prior to these privacy notice laws where we’re collecting all this information, and now I think it seems like it’s leading to a greater awareness amongst companies of what data they’re collecting, how they’re managing it. And it seems like going through this process is can help them to operate more efficiently.

Host (06:48):

Right? Well, the point of these, of the privacy notice is to tell me what I’m doing. And a big part of these laws are to put responsibility to the company, to protect the data. Now protection is from bad actors in a security sense. It’s also from how it’s being used. And so if I give you information, then you should use it and for why I signed up for it, and then tell me what you’re going to be doing, what was happening and still happens in a lot of places is I give you data and you use it for however you want to. And maybe you told me, and maybe you didn’t, let’s see if you told me, maybe I might not have given it to you in the first place now bad for the company. Good for the consumer. Right? So what’s happening is consumers want greater transparency because there’s been some companies who have misled consumers and violated that trust.

John Corcoran (07:40):

Yeah. There’s been major, major privacy breaches or leaks of data. Yeah.

Host (07:45):

Well, not just leaks the data from a data breach perspective, but let’s think back to Cambridge Analytica and Facebook, that wasn’t a data breach that was using data in a manner people didn’t understand. And so, you know, kind of enter in this new era of laws to try and make companies more responsible. And a big part of privacy principles is transparency. Transparency is often equated to the privacy notice. You can’t make the privacy notice until you understand all the data you have. And then when you do that, then you can begin explaining all the different sections of the privacy notice. So if you kind of looked at a notice that has a variety of sections, and you’re kind of filling in the blanks with the appropriate pieces that apply to a business,

John Corcoran (08:28):

You bring up a great point with Cambridge Analytica and Facebook, and you’ve following privacy laws for quite some time. Do you find that the general public’s expectation of its rights when it comes to privacy are evolving rather quickly in recent years,

Host (08:47):

They certainly are. People didn’t even know what was happening and then they didn’t have any, any choice or any recourse. It was just give it to you. And I give it to you. Now, the laws are really forcing us to do that. If you kind of go backwards, we had in the United States email marketing laws, the choice was let me unsubscribe phone calls the choices. Let me stop calling my house at 9:00 PM at night or 8:00 AM, whatever it is, like opt me out of that. So here it’s tell me what you’re doing. And then give me choices. Say, I want you to tell me what data you have on me, where I want you to delete the data that you have on me. And so inform and choices are very important principles and privacy, and truly the future of where all the privacy laws are going.

John Corcoran (09:35):

I wanted to ask him about that, cause they’re there, you know, you say that they’re kind of three main parts to what needs to go into a privacy notice. The first question you have to ask is what jurisdiction are you in? Which is where we started the second one or one of the main parts, the notice that need to be included. And then the third pace, which you just touched on is the choices that you have your individual rides. So talk a little bit more about that piece,

Host (09:59):

The individual rights piece. Yes. Yeah. So a big part is under each of these laws. So GDPR has a variety of individual rights. The California law CCPA also has a number of individual rights. And the idea behind them is if a consumer and other laws too, are moving in this direction where individuals have rights and under GDPR, they’re called a data subject access request, a DSR. So someone listening might have heard a DSR. And it’s the same idea of individuals. I like to think of people as individuals, as opposed to subjects. But the whole idea behind them is if I give you that data and then, you know, you might get data from other places, I want to know what you have on me. So, so let me understand that that’s the right to access. Maybe you have information on me and it’s wrong.

Host (10:49):

Shouldn’t I get to correct it. You have it on me, but, and you’re making decisions about me, but I want to be able to correct it. So that’s the right to rectification under GDPR. We have the ability to say, you know what, it’s okay that you use that data from, for providing the product or service to me, but I don’t really want you to use it for all those other marketing activities. So that’s the right to, to reject object or restrict processing, right? It’s giving the consumer more of the control after I’ve been told by reading privacy notice of what is actually happening.

John Corcoran (11:21):

Cause it sounds like software has had to catch up in many ways to these requirements so that you have the ability for these different interactions between a company and the individual whose data is being held by the company.

Host (11:37):

So software work certainly can assist and the bigger the company, the more necessary software can really become for a lot of smaller companies. Software is a nice to have, but also a manual piece of understanding the business processes is necessary. So there’s, there’s kind of a way to combine both of them. And then depending on how complex the organization is, you could actually have a really small organization that has a lot of data, but just the sort of simple amounts of systems. They don’t have volumes of systems that all might be held in Shopify and Salesforce, for example, or Shopify and a MailChimp, maybe they integrate or something like that. And so having some software to be able to help integrate so you can automate those requests is helpful. I also see a lot of companies right now kind of trying to feel this out and figure out what the right cadence is. And so they often start manual and then they kind of move upstream and adopt software.

John Corcoran (12:37):

So let me fire a couple of individual miscellaneous questions at you about these privacy notices. So I’m a company and I’m drafting a privacy notice with your assistance. Where does it go? Where do I put it?

Host (12:51):

So it needs to go according to various privacy laws on the page, wherever personal information is collected. And it’s really important to understand what is personal information. So if anyone is using a you know, digital marketing, like a Google analytics pixel, a Facebook pixel, or anything like that, that counts as personal information. So any time you are dropping a cookie today or a pixel, you need a privacy notice. If you have a landing page and you just have name an email that is personal information, and it also needs a privacy notice. I think a lot of times people think I need a privacy notice when I have a lot of information or I’m collecting an address or financial information, just name an email counts anywhere you collect personal information, you need that notice, which is why it’s generally in a standard footer.

John Corcoran (13:45):

Okay. For across all the whole website. Yeah.

Host (13:48):

It goes on the whole website so that you never have to worry which page is this? And making that determination where, where it trips companies is when you create often a special landing page for just a single sign up for something the privacy notice should be on that as well.

John Corcoran (14:03):

Okay. Got it. How often do I need to update my privacy notice and how do I keep it up to date?

Host (14:11):

So California tells us at least once a year and that’s a kind of a best practice industry standard is at least once a year. At the same time, if your business is really changing a lot, and it’s a pretty dynamic business and you’re, you’re creating new products or services or adding new features or doing a lot of marketing, you should be reviewing the privacy notice at each time you’re doing one of those things. And so in that process you might realize, Oh, we need to update it. An example. A lot of times people would say, well, I don’t use geolocation tracking for any purpose. And so that’s what the privacy notice would say. I don’t use geo location. The marketing team wants to actually use geolocation to serve up a relevant coupon I’ve passed by in store or, you know, I just want to be able to know where you are. Well, now my privacy notice doesn’t align to the ability to use that geolocation information. So the privacy notice might need to be updated for the future use of geolocation. Okay.

John Corcoran (15:13):

Okay. And with that example aside, how else do I know what needs to be updated when I do that update?

Host (15:21):

So a good best practice is literally every time you’re kind of making some type of update to your web page, to your product or service drafting, a new marketing campaign a new user experience when I log in or anything like that should have a privacy review so much, like you might be thinking about how much does this going to cost and how long is it going to take and which tools and technology do I need. You also want to be thinking about the privacy piece. So kind of like to say, privacy also needs a seat at the table.

John Corcoran (15:53):

Got it. Okay. And then who do I need to draft something like this? Is this something I can give to my tech guy to do? Like, do I need to bring in a law firm? You know, who can I use a privacy notice software generator? You mentioned earlier, who does this?

Host (16:08):

Yep. So there’s a lot of different answers. There are privacy notice generators that are out there and some of them, depending on the size of your site can do an okay job at helping you make sure you have the right list of questions. I think it’s really important to make sure, even if you’re going to use a generator, you have a privacy professional, whether that be a consultant like myself or a privacy attorney read and review that privacy notice because sometimes the generators miss certain things, they’re not perfect. It’s just a generator. That’s not someone who’s having a conversation with you and understanding your business and the very interesting nuances that your business has. And the persons has. They bring the experience and know, Oh right, well, not situation. We need to explain it this way. The generator’s not going to do that. And so if you don’t use a generator, maybe your business is already complex. You don’t like the idea of a generator. Then having a privacy professional who’s well-versed in the privacy law that applies to your business and is able to help, write that is where to start.

John Corcoran (17:13):

And the ironic thing is I’m sure the privacy notice on the website for the privacy notice generator says that you should go have this reviewed by a human I’m sure. It says if they didn’t have the generator actually draft that, that notice. I imagine. But so tell me about consequences. So, you know, if you’re a company listening to this and you’re thinking about, okay, we need to make sure that we get this right. What are the consequences? If you don’t get this right. If you don’t do this, if you have something wrong in your privacy notice,

Host (17:45):

Well, there’s financial consequences. So the new privacy laws kind of have built into them, financial consequences, and they vary by a violation and the volume and the number and things like that. So, you know, in Europe it can be up to 2% or 4% of global revenue or 20 million or 40 million Euro. That’s sort of the max fines, depending on the infection. And then in CCPA land at $7,500, $2,500 to $7,500 per violation how they’ll calculate the violation could be a single page, a single instance. It’s a little, right. We were brand new into this particular experience. So you certainly have financial consequences. You could have someone Sue because if you didn’t disclose something and then you used my data in a manner that I wasn’t expecting, there’s the ability for a lawsuit. And more than that, we have trust, right? We have well actually, trust for sure.

Host (18:40):

80% of people will do business with a company and give more information if they can trust the company. And two thirds of Americans basically don’t trust companies right now. So there’s an interesting gap, but we have two thirds of people who don’t trust companies and 80% of people will actually give more and interact with a brand that they trust. And so these laws have tried to kind of force people into doing it. And if you don’t, there’s been the consequence. You know, some of the other consequences is here in the United States. If someone is under the purview of the federal trade commission or the FTC, then you can kind of be in violation of that as well. And so then they have settlements that, and sometimes some fines that will go alongside that.

Host (19:28):

And you know, the biggest piece to me is, is this element of trust because the privacy notice is your front door. It’s the way that you’re communicating and building that relationship with someone when it comes to their personal data, you’ve already convinced them of this. Isn’t an amazing product or service. So now when I hand over information like my name or my email, how are you using it? What, how have they explained that to you? Did I put it in some boring, long notice, buried under four point font? That’s not a good idea. Do they use a generator because that seems like an easy thing to do, and I didn’t want to pay a lot of attention to it, or did I put thought into this and make sure that it really reflects what’s happening in my company so that I can allay any objections or concerns that a consumer has.

John Corcoran (20:16):

So last thing I want to ask you about, I know you said that a lot of the industry is moving even away from just a privacy notice or a static document, but more towards the privacy portal. So explain what that is.

Host (20:31):

Yes. So I love this idea of a privacy portal. It really builds upon the idea of building trust with an individual. So we’re all used to the long terms. You know, you agree to 73 pages of terms that you’ve signed up for sometimes, or the privacy notice the is about a nice visual representation that summarizes the different areas. Warner media is a great example. Google has a good one. Facebook has a good one. Microsoft you’re starting to see more and more of these privacy portals, a very, you know, nice visually appealing page, a box. What data do you collect? So it’s a kind of around collection or use or sharing or advertising. Some are also around choices, really having the conversation about, how often do you want to hear from me and how do you want to hear from me and putting that discussion back into the consumer’s control to make sure that our messages are irrelevant. So the privacy portal and kind of connection with the preference center is really going to be the future for privacy. You can make a summary and then you can link to the long form privacy notice. That’s still required by the various privacy laws

John Corcoran (21:40):

Interesting. Well, this has been great, Jody, remind everyone where they can go to connect with you and learn more about the work that you do in red Clover.

Host (21:48):

Thank you. So you can visit us at redcloveradvisors.com or reach out to us at info@redcloveradvisors.com and be sure to follow us on social media, find us on Facebook and LinkedIn. All right. Great. Thanks so much, Ed. Thank you.