A good privacy notice is compliant with applicable regulations – it needs to include important information about how a company handles personal information, tell people about their rights and how to exercise them, and it also needs to be readable and user-friendly for the people whose information the company processes. When drafting a privacy notice, you need to reflect the types of data you collect, and how it’s used, stored and shared. Since your business is dynamic, these notices need to be reviewed and updated at least annually–and in some regions a yearly review is a legal obligation.
At Red Clover, we craft custom privacy notices that comply with the privacy laws that apply to your organization. We can help you with or modify:
- External website privacy notice
- Employee notice
- Applicant notice
Your privacy notice is the primary method consumers have to learn about how you treat and think about their personal information. And since, 79% of Americans report being concerned about the way their data is being used by companies , you’ll want to put your best foot forward. Plus, a privacy notice is a legal document, and misrepresenting your practices could be considered unfair or deceptive in the eyes of the law. At Red Clover, we build privacy notices that reflect your values and focus on informing your customers and building trust.
Managed Services
Red Clover’s PrivacyOps® Managed Services Team can manage the monitoring of applicable regulations and updates to your notice.
Frequently Asked Questions
A privacy notice is a statement that you, as a company, make to individuals whose personal information you process before or at the time you collect their information. Ideally, it should explain to them in a clear and concise manner how you collect, use, retain, share, and protect the personal information you hold about them. Importantly, it is not a contract and the people reading it are not “consenting” to anything in it by using your website or your services.
For most companies, providing a privacy notice at or before the time of collecting personal information is a legal obligation. Many countries, regions (like the EU), and U.S. states have laws requiring companies to provide notice of their privacy practices to their customers, employees, and others. However, the way you provide the notice, how often, and what needs to be included varies from one jurisdiction to another.
The rules around what needs to be included in a privacy notice vary from one jurisdiction to another, so it’s important to look at the laws you need to comply with. In general, companies need to include:
- What personal information the company processes;
- The sources of the personal information;
- The business purpose and/or legal basis for the processing;
- How the business uses personal information;
- The rights individuals have over their personal information and how to exercise them;
- Whether the personal information is sold or shared, and with what categories of businesses it is shared/sold to;
- How the business protects the personal information;
- How long the business will retain the personal information; and
- Contact information for privacy questions or concerns.
Rules around updating your privacy notice are inconsistent; however, many consumer privacy laws (e.g., the California Consumer Privacy Act) require a yearly review and revision. With the proliferation of consumer privacy laws, a yearly revision has become not only legally required and a best practice, but necessary to keep up with the changing regulations!
Not so fast! Laws, regulations, guidance, and your organization’s data handling practices are constantly changing. With each enforcement action and court decision we learn more about how privacy and data protection laws are being interpreted by enforcement authorities. It’s important that you consistently monitor your practices and the privacy landscape and regularly assess whether your privacy notice is accurate and meeting these changing obligations.
Remember, your privacy notice is a representation of your declaration to the public about your data handling practices, and any inaccurate statements within it may put you in violation of unfair and deceptive trade practice laws in addition to privacy laws. Properly maintaining it mitigates that risk and builds trust with consumers and others.
A privacy notice is a legally binding document, so it’s important that the information you put in it accurately reflects your practices and meets your legal obligations. Inaccurate statements may mean you’re in violation of deceptive and unfair trade practice laws and privacy and data protection laws.
It’s important to know what laws you need to comply with and know your data – what you collect, for what purposes, where you retain it, for how long, what you do with it, who you share it with and how you protect it. Privacy professionals are best suited to help you craft an accurate and compliant privacy notice. Having a coordinated effort between privacy, legal and security to ensure all aspects of your practices are covered is a best practice.