Most organizations have some form of a privacy policy. Some even have a policy that explains what data the organization collects and what it does with that data. However, some organizations still lack a comprehensive policy, and most lack a privacy program altogether. Other organizations are trendsetters when discussing privacy practices and policies and how they apply to the organization. This differentiation can often be seen in the company’s privacy policy and what is included in that policy. We’ll look at a few things to be looking for when you get prompted with the message at each website you visit about the organization’s privacy policy. We’ll look at who this can apply to, what should be included, when can it be published, where should it be located, and how it can be communicated.

Since the introduction of the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Virginia Consumer Data Protection Act (VCDPA), and many more that have sprung up across the world lately (see quick list below):

Major current enacted or developing data privacy and protection laws:

1. Colorado Privacy Act (Colorado)
2. General Data Protection Law (Brazil)
3. Personal Information Protection Law (China)
4. Personal Information Protection and Electronic Documents Act (Canada)
5. Protection of Personal Information Act (South Africa)
6. Data Protection Act (Russia)
7. Personal Data Protection Act (Singapore)
8. Data Protection and PRivacy Act (Uganda)

The International Association of Privacy Professionals (IAPP) published a complete list of all privacy regulations currently enforced by the country with the data protection officer’s (DPO) responsibilities. You can see this document below and download it as needed.

The requirements listed in the document above only enhance the need for an effective, comprehensive, and clear privacy policy. Consumers provide companies with all kinds of information, domestic and abroad, which includes sensitive information about finances, medical conditions, and residential details. This information must be protected in compliance with the various regulations where your business collects information from. Having a transparent privacy policy is one of the first steps towards creating an effective privacy posture at your organization.

Why Transparency?

A detailed and transparent privacy policy will inform customers of what data the organization collects, why it collects it, the purpose for collection, the method of collection, how long the information is retained when the information is deleted, whether or not the information will be transferred to another party, and how the consumer can request that information. When including these areas in a privacy policy, a company can build trust and goodwill with its customers by emphasizing the organization’s commitment to protecting customer information.

Why Clear and Succinct?

If the organization’s privacy policy is simple for consumers to understand, they can make informed choices about how their data is used. Most privacy policies are too complicated for the average consumer without legal knowledge to comprehend and use internal jargon only employees would be privy to. Having a clear and succinct policy will help protect the organization from making inaccurate statements and promises that may open the door to lawsuits, enforcement actions, and even damages to its reputation. The NY Times wrote an article several years ago about their analysis of 150 privacy policies of the largest companies you’d recognize and found that many were incomprehensible. I highly encourage you to take five minutes to read through their work.

Where Should it Go?

To keep consumers informed, a best practice is to make the privacy policy easily accessible. One method of doing this is to provide a banner when the user accesses the website in the first few seconds. This may slightly frustrate the consumer, but they were provided with the opportunity to access the policy. But organizations shouldn’t stop there. The policy should also be a clickable link on every page of the website. Doing this shouldn’t be too complex, as most organizations include a link to the policy in the footer of each page. The images below show a site I frequent and how easy it was for me to access their privacy policy (1 click).

Making it simple for consumers to access your organization’s privacy policy will create more goodwill, trust, and returning customers as they become more aware of the data collection and processing practices of organizations.

Involve Legal

This is huge for any organization. You must ensure you involve legal counsel when drafting these policies and get their approval before publishing. This will ensure your organization isn’t missing any key areas or open to any lawsuits because it forgot to include something. In doing this, you’ll also know which regulations apply to your organization. For example, if you’re a financial institution that significantly engages in financial activities, the Gramm-Leach-Bliley Act and its Privacy Rules (16 C.F.R Part 313) would apply to your organization. If your organization is a covered entity and processes medical records, the Health Insurance Portability and Accountability Act (HIPAA) will apply to your organization.

Translate to Other Languages

It is incredibly important to make the policy available in every language where your organization does business, and then some. Our world is interconnected as ever and will continue to be even more so. Therefore, it is paramount that your policy is translatable into many different languages. Most web browsers have a built-in API that’ll do this automatically, but this shouldn’t be the “catch-all” you rely on. Software exists, such as Google Translate, that’ll make this process easy for anyone needing to provide their policy in any language, including Zulu.

Broaden and Detail Where Necessary

Obviously, you want a clear and concise policy. This doesn’t mean you should leave out some details. Because the organization is complex, there might be some areas requiring more detail than others. It’s completely fine to not include some details in the front-facing part of the policy as long as the details are accessible. This could be as simple as including a link to another document that outlines a few more complexities of the process cited in the Privacy Policy. This shouldn’t be a common practice since you want the policy to be transparent and clear, but it’s also necessary if a process has multiple complexities that aren’t necessary in the policy. Typically, someone requesting information like this will know what they’re asking for and going to read.

Use Supporting Documents

References to supporting documents can help consumers understand what they’re reading if needed. A glossary of terms can be helpful for someone, as well as a frequently asked (FAQ) questions web page. Most people don’t want to read the entire policy, so giving them a FAQ page will help them find what they’re looking for a lot quicker. If someone wants to read the policy, the glossary will help them understand the jargon used in the policy. Some keywords in most privacy policies would be:

1. Personal Identifiable Information (PII)
2. Data Subject
3. Data Processing
4. Data Collection
5. Data Minimization
6. Data Controller/Processor
7. Acronyms used in the policy

Don’t Forget About Your Employees

Although we’re mainly talking about an external policy, we shouldn’t forget about the privacy policies that should apply to employees. This would include acceptable use standards, whistleblower information, data accessibility tiers, the identity of the data controller, what data is collected, and much more. If the organization is monitoring employee usage of electronic communication systems, this should be included in the internal policy and communicated to all employees. Further details of these practices can be in the “Electronic Communications Policy” and aren’t needed in the privacy policy.

Drafting a policy seems like it could be complex, but it doesn’t have to be as daunting as one would expect. Oftentimes, it’s as simple as documenting what your organization is currently doing and how protection mechanisms protect the collected data. Following the steps listed above will provide a simple starting spot to publishing a privacy policy that is effective, transparent, succinct, and publicly available.

---

See the Newsletters page for the latest content and to subscribe to the regular update, see the About page for information around who DPP is, and check out the Contact page to reach out to DPP with any questions or concerns. These are my thoughts and should not be taken as professional advice simply because you are not paying me for my opinion.

Once you understand how valuable your information is, then you can begin taking steps to keep it private.