The Importance of Privacy Policies in Today’s Data-Centric Landscape
Emerging Data Privacy Laws
Across the globe, law makers are enforcing data privacy laws. In the United States, many state-level privacy laws have been enacted. While CCPA is the most talked about of those recently enforced, other states have made progress with enforcing their own laws and the federal government is evaluating whether it pass a federal data privacy law. Aside from CCPA, regulations like HIPAA and GBLA require that organizations be transparent about the kind of data they’re collecting and how they’re protecting it. In Canada, PIPEDA was recently enforced, and perhaps the most infamous data privacy law of our time, GDPR, was the force that led to the data privacy law evolution.
- Identify which regulations you must comply with and any privacy commitments you make separate from regulatory requirements.
- Map the data you’re collecting – know that you receive it, where it is, who interacts with it, how it’s used, who you share it with, etc.
- Create an outline – Determine which sections you must include and which you can leave out.
- Use clear, easy-to-read language. Users should be able to clearly understand your processes for collecting, using, and protecting their data.
- A scope of the policy
- An introduction or description of your company
- A list of the types of data you collect
- A description of how you collect that data
- A description of how you use that data (Do you share it with third parties? Do you use it for targeted marketing? Do you use it for product or service development? Do you use it to fix bugs or address data security concerns?)
- A description of the length you will hold the data
- A list and description of consumer rights, such as the right to opt-out and the right to deletion, and how to exercise those rights
- Impact that consumer rights and choices will have on their ability to use services and products
- Children’s privacy rights (Typically this addresses 13 and under)
- Ways to contact your organization
In many instances, organizations will be required to comply with multiple data privacy laws, like CCPA and GDPR. Sometimes, this means that businesses will need to create two separate policies; however, there are also times when it is appropriate to combine them, which is exactly what The Guardian has done.