When you think about Privacy Policies, you probably dread the thought of reading through endless amounts of “legalese” that the average human being tries to avoid at all costs.
Oftentimes, these policies are hidden under layers and layers of content on websites. And for many, this is for good reason: businesses are not inclined to incorporate 100-page policies on websites meant to convey an enticing brand for current and potential customers.
But over the past few years, there have been fundamental shifts in the way that websites are creating and implementing Privacy Policies.
In the news, it was widely reported that Cambridge Analytica engaged in the misappropriation of the personal data of millions of Facebook users.
This resulted in an outcry from consumers calling for their sensitive information be protected and used for appropriate purposes. And regulators responded.
In 2018, the European Union began enforcing the General Data Protection Regulation (“GDPR”), known as the most comprehensive piece of privacy legislation in the world.
The law provides a variety of privacy rights to consumers, including the right to request the deletion of collected personal information and the right to request the correction of collected personal information.
Furthermore, businesses are required to make specific disclosures pertaining to the processing and use of personal information within their online Privacy Policies.
Similar to Europe, the United States has seen an uptick in the passing of comprehensive privacy laws at the state level.
The California Consumer Privacy Act (“CCPA”) is a prime example of this. The law requires certain businesses to ensure their Privacy Policies disclose the categories of personally identifiable information (“PII”) that the business has collected and sold.
The CCPA, similar to the GDPR, also provides consumers with the ability to request the deletion of their collected PII.
Given the recent changes in the privacy law landscape, businesses will need to respond accordingly.
Laws like the GDPR and CCPA are not going away. Because of this reality, Privacy Policies will have to act as “living documents” that update as laws change.
An updated Privacy Policy will result in greater protection for your business against potential fines and lawsuits.
This article will discuss the following three topics:
- The purpose of a Privacy Policy;
- The California Consumer Privacy Act; and
- Ways to keep your Privacy Policy up to date.
The purpose of a Privacy Policy
The overall purpose of a Privacy Policy is to better inform consumers of their privacy rights under the law.
Moreover, the Privacy Policy should provide an opportunity to the business to fully and accurately disclose its information sharing practices.
The ultimate goal is to establish a relationship of trust between the consumer and the business.
In general, Privacy Policies should contain the following components:
- An introduction of your business and how consumers may make contact with the business should they have any questions relating to the Privacy Policy;
- A description of the business’s information sharing practices. This includes a description of what PII the business collects and discloses to other entities;
- A description of how the business uses the collected PII; and
- A description of how consumers may exercise their privacy rights under applicable law.
Here’s the problem: with so many privacy laws on the books, how do I know which law(s) apply to my business? The answer will directly impact what disclosures are required to be made within your Privacy Policy.
But irrespective of what law may apply to your business, the goal of an online Privacy Policy should be clear: to build consumer confidence that your business is responsible in handling and protecting PII.
This is important because consumers, now more than ever, are taking a business’s information sharing practices into account when deciding whether to make purchases and subscribe to services online.
As you implement strategies pursuant to updating your Privacy Policy, you may ultimately need key stakeholders to support the project. Stressing the point that updated Privacy Policies foster consumer trust, in addition to protecting the business against potential fines and lawsuits, is a sound strategy.
The California Consumer Privacy Act
Set to be enforced on July 1st, 2020, the CCPA provides Californians with a variety of privacy rights. These rights allow consumers to request the deletion of their PII, request a variety of disclosures relating to what PII has been collected and who has accessed it, and “opt-out” of the sale of the PII to third parties.
“Businesses” as defined by the CCPA must comply with the requirements of the law. A “business” must meet all of the following criteria:
- Sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners;
- That collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information; and
- Does business in the State of California
Provided that an entity qualifies as a “business” and falls under one of the following three categories, it must comply with the CCPA, irrespective of whether the business is actually located in California:
- Have an annual gross revenue in excess of twenty-five million dollars ($25,000,000);
- Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or
- Derives 50% or more of its annual revenues from selling consumers’ personal information.
To say that the CCPA has caused stress amongst businesses is an understatement. The law has fundamentally changed the privacy law landscape.
In the process, businesses are facing new obligations related to the content of their online Privacy Policies. The CCPA requires that the following components be contained within a business’s Privacy Policy:
- A description of the consumer’s rights under the CCPA. These rights include the following:
- The right to know what PII has been collected by the business;
- The right to know if PII has been sold and who has purchased the PII;
- The right to “opt-out” of the sale of the PII to third parties;
- The right to access the PII that has been collected; and
- The right to equal services and prices, despite the consumer exercising a CCPA right
- A list of categories of PII that the business has collected in the last 12 months, by reference to two lists:
- A list of categories of PII that the business has sold in the past 12 months; and
- A list of categories of PII that the business has disclosed in the past 12 months
- Provided that the business has neither sold nor disclosed consumer PII, this must be stated in the Privacy Policy
- Provided that the business has sold PII to third parties, the Privacy Policy must contain a “Do Not Sell My Personal Information” link that allows consumers to “opt-out” of the sale of their PII
Provided that your business is required to comply with the CCPA, you will need a strategy to ensure that your online Privacy Policy is up to date and in compliance with the law. Failing to do so could result in significant fines and penalties.
Ways to keep your Privacy Policy up to date
Provided that your business must comply with the CCPA, or another state privacy law, you must identify and implement a strategy for keeping your website’s Privacy Policy up to date. The best course of action for updating the Privacy Policy will depend on a variety of factors, including the
size of your business, who is involved in the handling of the information, and the information you collect.
Strategies for updating your Privacy Policy include the following:
- Hire outside counsel who specializes in privacy law and is experienced in writing Privacy Policies;
- Research different templates of Privacy Policies online; or
- Work with the business’s internal privacy and information security teams to craft a Privacy Policy
Additionally, businesses may obtain a compliant Privacy Policy by using Termageddon’s Privacy Policy generator.
This tool automatically updates your Privacy Policy to ensure that it is in compliance with laws such as the CCPA. As a result, you will significantly reduce your business’s chances of being fined or directly sued by a consumer protected under the law.
Regardless of the strategy adopted, updating the Privacy Policy requires a comprehensive understanding of the lifecycle of the data handled by your business.
To that end, key stakeholders involved in the lifecycle of the data will need to be interviewed and included in the process.
These stakeholders include the Human Resources department in charge of employee data, the information technology team, the legal department, and key leaders within the business.
As part of the data lifecycle research, it is important to ensure that your data collection methods are examined. Most often you are utilizing some sort of form to collect information and the form structure and plugin itself should be evaluated. We recommend weForms as the best contact form plugin to build forms on your WordPress site and offers a special discount available on Termageddon by using the code WEFORMS at checkout.
Once a comprehensive understanding of the data lifecycle is reached, then your business can be confident in developing a strategy and process for updating your online Privacy Policy. The ultimate goal is to fully and accurately disclose the business’s information sharing practices, as well as inform consumers of their privacy rights under the law.
2 thoughts on “Why It’s Important to Keep Your Privacy Policy Updated”