PRIVACY POLICIES

Privacy policies are often an afterthought, especially for new businesses. They’re widely perceived as a pile of boilerplate—a term many mistake as a synonym for “unimportant.” While I’ll save that axe for grinding in another post, I do want to focus in here on the significance of privacy policies and a few tips on how to go about getting them in place.

What’s A Privacy Policy And Why Should You Care

In a nutshell, a privacy policy describes how a business collects, uses, shares, transfers, and stores personal information. The acronym “PII” which stands for “personally-identifiable information” is commonly used in place of “personal information” but there are enough acronyms in life and so I’ll use the phrase “personal information” here.

Note: Personal information includes things like name, address, social security number, credit card number, biometric data (like fingerprints), and more.

Businesses should care about privacy policies if they collect personal information, which nearly every business does, whether from employees, customers, or others. They should care because they may be subject to privacy laws that regulate how they deal with personal information and, regardless of the laws that may apply to them, they may be subject to consumer scrutiny concerning privacy practices.

While privacy regulation in the US still consists of a patchwork of laws, there are no shortage of headlines for companies that have fallen short of societal expectations for safeguarding personal information. For a recent example of this, look no further than the negative response to Zoom’s privacy practices during Covid-19.

What You Need To Know To Put Together A Privacy Policy

Realistically, if you’re creating a custom privacy policy for your business, you’re likely doing it with the help of a lawyer. But that doesn’t mean you get to take your hands off the wheel. You’ll need to help educate your lawyer on how you deal with personal information in order to make the privacy policy tailored to fit your practices.

How Your Business Deals With Personal Information

Remember, a privacy policy describes how a business collects, uses, shares, transfers, and stores personal information. So you need to know how your company does these things (or how it plans to) before you can prepare and implement a privacy policy, whether you do it yourself or with the help of a lawyer. Figuring this out may, depending on the business, require you to talk to people in operations, HR, IT, marketing, legal and more.

Tip: It may be useful to create a data map to help with the process of tracking how personal information is handled.

No matter what tools you use, make sure you’re describing how things are, rather than how you think they ought to be, unless you plan to align your company’s privacy practices with the policy once drafted.

What Privacy Laws And Regulations Apply To Your Business

The US lacks a comprehensive federal privacy law. But the Federal Trade Commission regulates consumer privacy and so you may have obligations at the federal level. There are also certain states—California, with the recent passage of the CCPA, chief among them—that have their own privacy statutes that your business may be subject to. And if you’re collecting personal information outside of the US, you may have to deal with other privacy laws, including, for instance, the GDPR in the EU.

Also, depending on the industry in, the type of personal information you’re collecting, and certain other factors, you could be subject to more niche pieces of privacy legislation. Without going into great detail, if you’re a financial institution, a healthcare institution, or a collector of personal information about children or students, just to name a few, you should work with a lawyer to understand additional privacy obligations you may have.

Whether Institutional Gatekeepers Will Require Privacy Policies

Even if you’re not concerned about privacy laws and regulations, you may have to contend with privacy policy requirements from institutional gatekeepers. A good example of this is for businesses with mobile applications. If you have a mobile app, you’re likely planning to make the app available for distribution through one of the major app stores (i.e., the “institutional gatekeepers”). If so, you’ll find that Apple requires your app to have a privacy policy and Google requires most apps to have a privacy policy.

What You Need To Do To Implement A Privacy Policy

You could have the most comprehensive, beautfully formatted, user-friendly privacy policy out there, but if you don’t implement it correctly, it won’t do you much good. The best practice is to provide real and timely notice when users are given the option (or the requirement) to share personal information. A common example of this is providing a link to the privacy policy wherever personal information is collected.

Tip: It’s a good idea to require your users to acknowledge having read and understood your privacy policy at certain points of collection of personal information.

Keep in mind too that some notices must be delivered in a certain way to be effective; for instance, HIPAA has particular delivery methods that must be followed. This is just one example, though. There are plenty of others that may need to be considered.

Remember also that once you’ve put your privacy policy out there for all to see, you’re telling the world how you deal with personal information. If you, for whatever reason, fail to make good in practice on what you’ve told the world you would do in your privacy policy, the world may not take kindly to that. So it’s important to make sure what’s on paper (or online) matches what happens in practice.

What You Need To Do After Implementation

Implementation should not only be user-facing. Your employees should be aware of and understand their obligations under the policy. And if policies change, they need to change in both writing and in practice, meaning that regular auditing should be conducted. Changes that impact users may also need to be communicated directly to those users (for instance, in the form of an email or a website banner notifying users of an updated policy).

You should also be regularly reviewing and updating your privacy policy to ensure it aligns with your company’s current practices and with any changes in the laws.

Example: In late December 2019 and early January 2020, you probably received a deluge of privacy policy update emails from various large companies. This was in response to the CCPA going into effect, which caused many companies to change their privacy policies.

As part of this, it’s wise to include the privacy policy’s effective date, which should change every time the policy is udpated. That way it’s clear at which points in time the various terms of your policy are in effect.

Finally, it’s a good idea to tell how consumers can contact your business if they have questions or issues regarding your privacy policy or practices.

Takeaways

The biggest takeaway here—that is, once you have a privacy policy in place—is to view your privacy policy as a living document, rather than a template you park in the footer section of your home page and never think about again. If you’re able to view your policy through this lens, you’ll be more likely to review it regularly and revise its terms when your company’s practices or privacy laws change.