- Identify What’s Collected: Conduct an audit to determine what type of personal data is collected, where it rests and moves, how it’s protected, and what’s ultimately done with it. This stage is critical and should be conducted with care; you can only report what you know.
- Identify Relevant Regulations: To follow the rules you need to know what they are – take a look at any regulations that might apply to you based on your areas/means of operation. Pay special attention to evolving regulations – standards like ADPPA, CPRA, GDPR, or PIPEDA.
- Comprehensive yet Comprehensible Rights: The policy should outline the rights and allowances provided to consumers. Consider their options for opting out of collection, requesting deletions of existing data, viewing how they’re tracked, and what the implications of exercising these rights are and aren’t. An important quality to keep in mind, however, is that the policy should be written in a way typical users can understand and placed in a place they can find it. Avoid legalese for the sake of clarity, where possible – it’s hard to justify rights provided to customers if their means to exercise them is obfuscated.