Privacy policies are often an afterthought, especially for new businesses. They’re widely perceived as a pile of boilerplate—a term many mistake as a synonym for “unimportant.” While I’ll save that axe for grinding in another post, I do want to focus in here on the significance of privacy policies and a few tips on how to go about getting them in place.
Note: Personal information includes things like name, address, social security number, credit card number, biometric data (like fingerprints), and more.
Businesses should care about privacy policies if they collect personal information, which nearly every business does, whether from employees, customers, or others. They should care because they may be subject to privacy laws that regulate how they deal with personal information and, regardless of the laws that may apply to them, they may be subject to consumer scrutiny concerning privacy practices.
While privacy regulation in the US still consists of a patchwork of laws, there are no shortage of headlines for companies that have fallen short of societal expectations for safeguarding personal information. For a recent example of this, look no further than the negative response to Zoom’s privacy practices during Covid-19.
How Your Business Deals With Personal Information
Tip: It may be useful to create a data map to help with the process of tracking how personal information is handled.
No matter what tools you use, make sure you’re describing how things are, rather than how you think they ought to be, unless you plan to align your company’s privacy practices with the policy once drafted.
What Privacy Laws And Regulations Apply To Your Business
The US lacks a comprehensive federal privacy law. But the Federal Trade Commission regulates consumer privacy and so you may have obligations at the federal level. There are also certain states—California, with the recent passage of the CCPA, chief among them—that have their own privacy statutes that your business may be subject to. And if you’re collecting personal information outside of the US, you may have to deal with other privacy laws, including, for instance, the GDPR in the EU.
Also, depending on the industry in, the type of personal information you’re collecting, and certain other factors, you could be subject to more niche pieces of privacy legislation. Without going into great detail, if you’re a financial institution, a healthcare institution, or a collector of personal information about children or students, just to name a few, you should work with a lawyer to understand additional privacy obligations you may have.
Whether Institutional Gatekeepers Will Require Privacy Policies
Keep in mind too that some notices must be delivered in a certain way to be effective; for instance, HIPAA has particular delivery methods that must be followed. This is just one example, though. There are plenty of others that may need to be considered.
What You Need To Do After Implementation
Implementation should not only be user-facing. Your employees should be aware of and understand their obligations under the policy. And if policies change, they need to change in both writing and in practice, meaning that regular auditing should be conducted. Changes that impact users may also need to be communicated directly to those users (for instance, in the form of an email or a website banner notifying users of an updated policy).