What Makes a Good Privacy Policy?

What Makes a Good Privacy Policy?

Seen clearly in the near-constant expansions and revisions of privacy regulations, it’s no secret that privacy demands are rapidly expanding. This leads to privacy documents previously left to the wayside gaining newfound legal prominence – chief amongst them currently being Privacy Policies. Whether it’s a new business, or an established one, privacy regulations are evolving and Privacy Policies need to adapt to keep relevancy. With that in mind, now is a great time to consider thoroughly evaluating your company’s privacy policy; in that interest, here are some considerations for forming a policy fit to modern criteria

Before we dive too deep into the weeds of what constitutes a solid Privacy Policy, let’s take a moment to define what exactly a Privacy Policy is and the purpose it serves to businesses. Essentially, a Privacy Policy is a legal document that details the information you collect on users, the purpose and methods of that collection, and the means by which that information will be processed or sold. What constitutes “personal” information varies by regulation, but a nice rule-of-thumb is that if the data can be used to personally identify an individual (things like names, addresses, emails, or age) it’s safe to consider it personal data. In terms of purpose, these policies primarily exist to protect customer privacy rights and to encourage transparency and consumer trust in businesses. And past these conceptual benefits lies one critical, tangible one for businesses – reducing legal liability in an increasingly privacy-concerned world. Crucial in seeing those benefits, however, is the comprehensiveness of the policy. Let’s touch on what it takes to get a Privacy Policy to that standard.

To meet the growing demands for quick Privacy Policy generation, a number of Privacy Policy generators have seen heavy use. As regulations require increasing amounts of specificity from the policies, however, consider ditching generic generators. A privacy policy should be specifically crafted for your company. It should be an intricate and intentional guide for how you agree to not only protect your clients, but ultimately how you will protect your company as well. Generators can help you become compliant with general state laws, but many fail to generate a policy that’s designed to meet the individual needs of a company.  Where these generated policies start to struggle are in meeting the specialized, evolving requirements of developing international Privacy Laws, like GDPR or ADPPA. Even if a generator could produce policies at such a specific level, it would require entering in a boatload of proprietary information to a potentially unscreened vendor – which is generally not a good idea.

Quite a few factors go into forming a solid Privacy Policy today – here are a few general areas to look at when forming yours:

  • Identify What’s Collected: Conduct an audit to determine what type of personal data is collected, where it rests and moves, how it’s protected, and what’s ultimately done with it. This stage is critical and should be conducted with care; you can only report what you know.
  • Identify Relevant Regulations: To follow the rules you need to know what they are – take a look at any regulations that might apply to you based on your areas/means of operation. Pay special attention to evolving regulations – standards like ADPPA, CPRA, GDPR, or PIPEDA. 
  • Adaptability: Both your business and regulations evolve over time, and requirements will shift as this occurs. A solid privacy policy needs to be able to be quickly adapted to meet these requirements as they come – this often requires some forethought into the design of data handling as well as the organization of the policy itself.
  • Comprehensive yet Comprehensible Rights: The policy should outline the rights and allowances provided to consumers. Consider their options for opting out of collection, requesting deletions of existing data, viewing how they’re tracked, and what the implications of exercising these rights are and aren’t. An important quality to keep in mind, however, is that the policy should be written in a way typical users can understand and placed in a place they can find it. Avoid legalese for the sake of clarity, where possible – it’s hard to justify rights provided to customers if their means to exercise them is obfuscated.

Following those general guidelines above will go a long way in defining the specific technical and organizational components of drafting a solid, modern Privacy Policy. If the process sounds tricky that’s because it typically is – modern compliance is a moving target, and a good deal of care is required to stay on track. This makes it a great time to build strong privacy foundations, and don’t hesitate to seek help from consultancies or privacy experts if needed – investments in a robust Privacy Policy now will pay dividends in risk control and compliance efforts to come.

Need help building a Privacy Policy for your business? Let CyberData Pros conduct a privacy assessment and tailor a Privacy Policy to fit your privacy posture. Contact us now for a free consultation and to learn more about our services.

read more

What the CPRA Means for Marketers

Customer data compliance is like traversing murky waters at the best of times – it requires water-tight policies, and often new threats approach. The next looming beast is titled CPRA (California Privacy Rights Act), which is an extension of the already-established CCPA (California Consumer Privacy Act) that comes into full effect January 1, 2023. At that point, the regulatory standards CPRA establishes will be imposed on data gathered since a year prior – January 1, 2022. Clearly there’s little time to waste in becoming compliant with the act, so we won’t waste any more in unnecessary detail – here’s a quick breakdown of what this means for marketers.

First: Who Does CPRA Apply To?

CPRA holds businesses, service providers, third parties, and (extending CCPA) contractors accountable for different sets of obligations. For the concern of marketing companies, let’s focus on business requirements, as they have evolved from CCPA:

A “business” under CPRA is classified as a for-profit legal entity that collects consumer data, takes a role in determining the processing of said data, conducts business in California, and meets at least one of the following criteria:

  • Possess annual gross revenues of at least $25 million
  • Annually handles data of at least 100 thousand consumers/households/devices
  • Derives at least 50% of annual revenue from selling or sharing consumer data

While it’s true that these qualifications leave many small to midsize businesses and nonprofits exempt for now, marketers should pay special attention to those bulleted criteria – this will catch most marketing agencies, especially as they grow. 

Second: What does CPRA compliance mean?

Given that CPRA is an extension of CCPA, it’s important that we understand both in order to be fully compliant. In that interest, here are the rights established for California consumers under the acts:

  • The Right to Know what, how, and why their data was collected along with what was done with it
  • The Right to Delete data collected on them
  • The Right to Opt-Out of their data’s sale
  • The Right to Opt-In to their data’s sale (if consumer is under 16)
  • The Right to Correct inaccurate data collected
  • The Right to Limit Use and Disclosure of “sensitive” personal information
  • The Right to Initiate a Private Cause of Action following their data’s breach
  • The Right to Non-Discrimination or unfair treatment for exercising their rights

Past guaranteeing these rights, there are a few other big-hitter standards to be aware of for CPRA compliance:

  • Sensitive Data Use: Some data is now classified as “sensitive”, defined essentially as data that would personally identify a consumer (think ID cards, genetic info, or SSN). This data will need to have its use disclosed and consumers should have the right to opt out of said use.
  • Data Minimization: Data collected and its storage should be proportionate to the purpose of the data.
  • Risk Assessments: Certain cases of collection and use of data will mandate risk assessments to be conducted beforehand (this requirement is likely to expand, too)
  • Data Deletion: Businesses should not only delete requested data on their end but also notify related third parties to do the same.
  • Contracts: Businesses must form CPRA-compliant contracts with third parties before dealing data with them.
  • Cross-Context Ads: This type of advertising, where behavioral tracking of users is conducted for tracking across contexts, is specifically targeted in CPRA – customers reserve the right to opt out of its use like any other type of advertising.
  • Opting-Out: Businesses should present a “do not share my personal info” link in addition to a “limit the use of my personal info” link, and they should be made reasonably easy to understand and interact with.

Third: How can marketers adapt?

Even broken down, all that compliance criteria is often intimidating. Let’s walk through a few quick steps you can take to get ready:

  • Find Your Data: Take an inventory of where all your data lies and through where it flows. Make sure this process is thorough – to secure data you need to know where it lives.
  • Review Your Security: Take a sober look at the areas identified in your inventory – can you effectively prevent leaks there and quickly access/delete data where necessary? If not, take some time to bolster your data security.
  • Review Your Vendors: Many of the compliance measures require you to hold your vendors accountable for their use of data. Revisit your contracts and make sure vendors are living up to compliance standards, and not putting you at risk through association.
  • Manage Requests: If customers request their data to be removed, how will you know? Establish a process by which customer data access or deletion requests can be quickly received and remediated.
  • Revisit Your Privacy Policy: As requirements change policy needs to adapt to maintain relevance. Take another look at your privacy policy and ensure that it reflects your provisions for compliance so it can protect you when needed.
  • Reconsider Data Collection Strategies: Under standards like minimization among others, it’s worth reevaluating what data needs to be collected and how. Ensure that only business-necessary data is collected, and consider more opt-in oriented approaches to collection: think website interaction, newsletter/email subscriptions, or voluntary polls.
  • Consider Getting Outside Help: CPRA compliance is an endeavor, no doubt. If this process seems daunting, consider hiring a consulting service or other solution to aid. Ensuring compliance is done right pays for itself in fines and reputation.

Need help trying to understand CPRA compliance for your business? Let CyberData Pros help you assess your risk and design secure organizational and compliance measures. Contact us now for a free consultation and to learn more about our services.

read more