As businesses increasingly rely on personal data to enhance user experiences and drive growth, the need for transparency in data handling has never been more critical. This guide will explore the importance of having a privacy notice on your website and provide a comprehensive guide on the best practices.
Privacy Notice: Why Your Website Needs One and How to Draft It
A privacy notice is not just a widespread industry practice; it is a legal requirement and a crucial tool for fostering customer trust. A well-crafted privacy notice informs users about how their data is collected, used, and protected, ensuring compliance with various data protection laws.
Please note that these guidelines reflect the best practices and do not constitute legal advice. We encourage you to seek professional legal counsel to address your specific legal needs and ensure compliance with applicable laws and regulations.
What is a Privacy Notice?
A privacy notice, also known as a privacy statement or data protection notice, is a public-facing document that informs consumers about how an organization collects, processes, uses, and protects their personal data. It serves as a transparent communication tool, providing essential information to individuals about the organization’s data handling practices and their privacy rights.
Why is Having a Privacy Notice Important?
A privacy notice is crucial for several reasons:
- Legal Compliance: Many jurisdictions, including various U.S. states and the European Union, mandate that companies disclose their data collection and usage practices. This is essential for compliance with laws such as the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) in the EU.
- Marketplace Requirements: Application marketplaces, such as the Apple App Store and Google Play, often require a privacy notice for apps listed on their platforms. This ensures that users are informed about how their data will be handled.
- 10DLC (application-to-text messaging) Industry Rules also require brands to have compliant privacy policies in order to register texting marketing campaigns. Learn more
- Consumer Trust: A clear and transparent privacy notice helps build trust with your users by showing that you respect their privacy and are committed to protecting their personal information.
Privacy Laws
Depending on where you do business, collect and process consumer data, what your activities are, what data and whose data you collect and process, different privacy laws may apply to you.
The privacy law landscape in the U.S. is complex, with a mix of state and federal laws:
- State Laws: States like California (CCPA), Virginia (VCDPA), and Colorado (CPA) have comprehensive privacy laws that grant specific rights to residents regarding their personal data. Most of these laws have applicability thresholds tied to factors like the number of customers whose data the business collects and processes, the business’s revenue, and whether the business profits from sharing consumer personal data. However, some laws, such as California Online Privacy Protection Act (CalOPPA), do not have such thresholds.
- Federal Laws: There are specialized federal laws which apply to different industries. For example, the Gramm-Leach-Bliley Act (GLBA) applies to financial institutions and, in some cases, to the real estate industry.
Certain laws apply to telemarketing activities, like the Telephone Consumer Protection Act (TCPA) and the CAN-SPAM Act. Under the TCPA, you are required to obtain consumers’ prior express written consent before sending marketing messages via phone calls or texts. Under the CAN-SPAM Act, you must include clear opt-out mechanisms for email marketing communications and honor opt-out requests promptly.
GDPR: Even though GDPR is an EU regulation, it has far-reaching implications for U.S. businesses if they offer goods or services to EU residents or monitor the behavior of individuals within the EU.
Approaching Different Jurisdictions’ Privacy Laws
Businesses can handle the varying requirements of different jurisdictions in their privacy notices in two main ways:
- Separate Sections: You can include specific sections in the privacy notice that detail the distinct rights to personal information for residents of various jurisdictions.
- Most Favored Nation Approach: You can grant the most favorable privacy rights to all users, regardless of their jurisdiction, to simplify compliance and enhance user trust.
Types of Protected Data
Understanding the different types of protected data is essential for crafting a comprehensive privacy notice:
- Personally Identifiable Information (PII): Information that can identify an individual, such as names, email addresses, cookies, and social security numbers.
- Non-PII: Data that cannot be used to identify an individual on its own, such as aggregated statistics.
- Biometric Data: Data related to physical characteristics, such as fingerprints, face- and voiceprints.
- Sensitive Data: Includes information like health records, racial or ethnic origin, and sexual orientation.
Website Owners’ Obligations and Consumers’ Privacy Rights
As a business owner, you have a legal and ethical responsibility to protect the personal data of your end consumers and enable them to exercise their legal rights concerning their personal information. Below are key consumer privacy rights available in many U.S. states:
Notice/Transparency Requirement
Business owners must provide clear and accessible information about their data collection and processing activities. This includes details on what data is collected, how it is used, who it is shared with, and how long it is retained.
Right to Access
Consumers have the right to request and obtain a copy of their personal data that you have collected. This transparency allows them to understand what information is being held and how it is being used.
Right to Correct
Consumers can request corrections to any inaccurate or incomplete personal data. This ensures that the information you hold is accurate and up-to-date.
Right to Delete
Also known as the “right to be forgotten,” this allows consumers to request the deletion of their personal data under certain conditions, such as when the data is no longer necessary for the purposes for which it was collected.
Right to Opt Out of Certain Processing
Consumers can opt out of specific types of data processing, such as targeted advertising, profiling, or tracking of the consumers’ online browsing activities.
Right to Portability
Consumers have the right to receive their personal data in a structured, commonly used, and machine-readable format. They can also request that this data be transferred directly to another data controller, facilitating data mobility.
Right to Opt Out of Sales
Consumers can opt out of the sale of their personal data to third parties. This is particularly relevant under laws like the California Consumer Privacy Act (CCPA).
Right to Opt In for Sensitive Data Processing or Children’s Data Processing
For sensitive data, such as health information or data about children, as well as biometric information, consumers must provide explicit consent before any processing can occur. This ensures a higher level of protection for such information.
For children under a certain age (typically 13 or 16, depending on the jurisdiction), businesses must obtain parental consent before collecting or processing their data. This is done to ensure that minors’ data is handled with extra care.
Right Not to Be Subject to Automated Decision-Making
Consumers may have the right to not be subject to decision-making based solely on automated personal data processing, including profiling. They can request significant human intervention in such decisions.
Private Right of Action
In some jurisdictions, consumers have the right to take legal action against businesses that violate data protection laws. This provides a direct means for consumers to seek redress. Other jurisdictions authorize Attorneys General to initiate such legal proceedings on behalf of consumers.
Prohibition on Discrimination When Exercising Privacy Rights
Consumers should not face discrimination for exercising their data protection rights. This means they should not be denied services, charged different prices, or subjected to different quality of service for asserting their rights.
Purpose/Processing Limitation
Data collected should only be used for the specific purposes disclosed to the consumer at the time of collection. Any further processing must be compatible with those original purposes or require additional consent.
Provide a Way for Consumers to Contact You
Many consumer data protection laws require businesses to provide a clear and easily accessible way for consumers to contact them regarding any issues or questions about their personal data.
At a minimum, businesses must publish an email address, and/or toll-free phone number on their website that consumers can use to reach out with data privacy inquiries or requests. Some laws require listing a physical mailing address and/or placing a “Do Not Sell My Information” link on the homepage.
Once a consumer submits a request through the provided channels, businesses must respond promptly and handle the request in accordance with applicable data protection laws.
Suggested Sections of a Privacy Notice
Some of the key sections of a comprehensive privacy notice are:
- Date the Privacy Notice was Last Updated: Some laws, such as the CalOPPA, require that commercial website operators state the effective date of the posted version of the Privacy Notice (the date it was last updated).
- Summary: It is becoming an increasingly prevalent industry practice to include a short and easy-to-understand summary of the privacy notice at its beginning.
- Personal Data We Collect: Detail the types of personal data collected, including the types of (non)-personally identifiable information, sensitive personal data, and biometric data.
- How We Obtain the Information: Explain the methods of data collection, including active collection (submission through the website by its visitors, through the use of the business’s services, purchases, from affiliates, third parties, etc.) and automatic collection (cookies, analytics, third-party links, etc.).
- How We Use the Information: Describe the purposes for which the data is used, including whether it is being sold.
- How We Share the Information: Disclose any third parties with whom the data is shared, including any data analytics or live chatbot tools and add-ons.
- Your Rights to Your Data: Inform users of their rights regarding their data, such as access, correction, and deletion, and explain how they can exercise these rights.
- Do-Not-Track Requests: CalOPPA requires that commercial website operators stipulate whether they honor requests not to track the consumers’ online browsing activities (do-not-track requests).
- Contact Information. List ways consumers can contact you to exercise their privacy rights.
Accessibility
It is important to ensure that your privacy notice is easily accessible on your website, uses clear and simple language and is accessible to people with disabilities. Some laws, like CalOPPA, require that privacy notices appear on the homepage and be distinguishable from the surrounding text on the homepage. You can use website special functionality, such as pop-ups and banners, to make your privacy notice more visible.
Conclusion
Starting your website is an exciting endeavor, but navigating the legal compliance requirement may feel daunting at times. We hope that by following these guidelines, you feel empowered to create a robust privacy notice that follows the industry best practices and fosters trust and transparency with your website’s users.