Inconspicuously nestled in the lower right-hand corner of any website or buried within an app’s settings is a link to one of its most important — and yet least viewed — pages. An organization’s privacy notice (or privacy policy) is a legally binding contract that must accurately describe how it collects, uses, stores, and discloses personal information. If those notices contain false disclosures or don’t comply with the latest regulations, lawmakers may take enforcement action. Regulatory fines are only the tip of the iceberg. An alleged violation could trigger deeper investigations, civil lawsuits, or result in reputational damage.
Despite the risks, many organizations don’t thoroughly vet their privacy notices and consent requirements, which is how they often wind up being non-compliant and ultimately run into trouble.
Regulators and competition bureaus are stepping up enforcement
The introduction of the General Data Protection Regulation (GDPR) in the European Union in 2016 established a new global standard for data privacy and protection rights. Article 12 of GDPR states that data controllers must provide information about the processing of personal data in a “concise, transparent, intelligible, and easily accessible form, using clear and plain language.” The cost for non-compliance for any organization processing the personal data of EU citizens can be significant. Google, for example, was fined €50 million by the French data protection authority for not sufficiently disclosing how user data is processed across its services, among other violations.
Within Canada and the United States, competition bureaus have been leading the enforcement charge. In January 2020, Canada’s Competition Bureau indicated that it would penalize organizations that “make false or misleading statements about the type of data they collect, why they collect it, and how they will use, maintain, and erase it.” Shortly afterward, the Bureau issued a press release confirming a $9 million settlement with Facebook, plus $500,000 in investigation fees, for alleged false or misleading allegations about privacy and the sharing of personal information on its platform.
Reacting to the Facebook case, Canada’s Commissioner of Competition Matthew Boswell said, “Canadians expect and deserve the truth from businesses in the digital economy, and claims about privacy are no exception. The Competition Bureau will not hesitate to crack down on any business that makes false or misleading claims to Canadians about how they use personal data, whether they are multinational corporations like Facebook or smaller companies.”
For those doing business in the U.S., the FTC has routinely targeted organizations that either act contrary to the statements made within their privacy notices or fail to gain consent. In several higher profile examples, compliance breaches and enforcement actions were brought against tech heavyweights Google and Snapchat, resulting in fines and public embarrassment.
It’s not just large enterprises that are at risk. Small and medium-sized firms have also been pursued by the FTC for violating the consumer privacy rights of U.S. citizens. The FTC website has a current list of privacy-related enforcement cases, including against small Canadian firms.
The right way to draft and maintain your privacy notice
With increased scrutiny becoming commonplace, it’s important to ensure that your organization gets its privacy notice right. That means ensuring that it is:
- Compliant. Not surprisingly, your privacy notice must be compliant in all of the jurisdictions where your customers and other data subjects reside. Beyond that, your organization should have the means to track any changes to applicable regulations, especially given the frequency with which new privacy laws and amendments are being enacted at a sector or jurisdictional (i.e., province, state, federal, or economic union) level.
- Layered. There are a variety of studies that analyze the length and complexity of privacy notices. One Pew Research Centre survey determined that just nine per cent of adults say they always read a company’s privacy policy before agreeing to the terms and conditions and more than 36 per cent of adults say they never read a privacy policy before agreeing to it. The EU’s Article 29 Working Party (replaced by the European Data Protection Board in 2018) endorses taking a layered approach to privacy notices. With layering, a privacy notice provides a clear and straightforward overview of the document so it can be understood quickly and easily. Ideally, graphics and icons should be used, which can be followed up with a more detailed legal overview beneath.
- Simple. Avoid highly technical or legal terms when drafting your privacy notice. Privacy practices should be explained in straightforward language and be understandable by anyone with basic reading comprehension skills. It’s also important to keep the document as short as possible while providing the information people need to know.
- Clear. Describe in plain terms how your organization processes personal information, including:
– Whether you’re collecting it and, if so, what you’re collecting and how often
– Why you’re collecting it and what you’re using it for
– Whether you will sell it to, or otherwise share it with, third parties
– Whether you will retain it, and how you will maintain and delete it
– The level of control that consumers have regarding their personal information
- Monitored. Changes may be made to how data is processed within digital products and websites (such as the marketing team employing new types of cookies or changing how information is shared), which may inadvertently violate your privacy disclosures. Therefore, it’s crucial to constantly monitor how your organization collects, uses, stores, and discloses data within your applications and websites.
- Aligned with privacy practices. The most significant legal risks for an organization can result from statements or omissions within privacy policies that don’t align with privacy practices. For example, suppose your internal privacy policy and associated operating procedures don’t line up with your public privacy notice. If so, you could be at risk of enforcement actions by regulators or class action lawsuits. You can mitigate this risk by conducting a privacy assessment before publishing your privacy notice and ensuring that a single privacy officer or individual governs all internal policy documents.
- Easily accessible. Provide simple instructions explaining how people can access any personal information your organization holds, as well as how they can request to have it corrected or deleted. Some regulations require follow-up within a specific time period. However, as a general rule of thumb, acknowledge requests by email immediately and fulfill them as soon as possible. In addition, provide your data privacy lead’s contact information for those who require additional information or support, including their name, title, work email address, mailing address, and phone number.
- Archived. Because it is a legal document, it’s important to ensure that you maintain an archive storing previous versions of your privacy notice. The archive link should be highly visible and easily accessible from the privacy notice page.
Engage a data privacy expert for help
In an attempt to minimize costs, many organizations opt to purchase boilerplate privacy notice templates, or in some cases, simply copy and paste notices from other websites. As tempting as it sounds, even seemingly minor misrepresentations or omissions can have dire consequences. When it comes to your privacy notice, working with a professional to draft and monitor your document and assist with ongoing compliance is crucial.
The privacy notice is a window into an organization’s data privacy and protection posture. Policies that are poorly drafted, misleading, or confusing may draw attention from privacy regulators, competition bureaus, privacy activists, and other privacy champions.
While organizations must be mindful of the potential legal ramifications of publishing incomplete or inaccurate privacy disclosures, it’s also important to consider the potential brand repercussions. Those who are more transparent regarding data privacy disclosures will build and reinforce trust, thus differentiating themselves from their competitors.