How to Write a Privacy Policy (With 3 Sample References)

The Importance of Privacy Policies in Today’s Data-Centric Landscape

It’s no secret that data is now the most valuable asset worldwide. With nearly all organizations relying on some form of data to fuel their business, consumers and policy makers have started highlighting the need to more transparent about how they collect, use, store, and transmit data, starting with their privacy policies. Because consumers have become more interested in how their data is being collected, used, stored, and transmitted, it is essential that businesses recognize the importance of creating a robust privacy policy. So, how can they write a privacy policy? Are there any privacy policy samples to reference?

Emerging Data Privacy Laws

Across the globe, law makers are enforcing data privacy laws. In the United States, many state-level privacy laws have been enacted. While CCPA is the most talked about of those recently enforced, other states have made progress with enforcing their own laws and the federal government is evaluating whether it pass a federal data privacy law. Aside from CCPA, regulations like HIPAA and GBLA require that organizations be transparent about the kind of data they’re collecting and how they’re protecting it. In Canada, PIPEDA was recently enforced, and perhaps the most infamous data privacy law of our time, GDPR, was the force that led to the data privacy law evolution.

How to Write a Privacy Policy

Because so many countries are creating and enforcing their own data privacy laws, knowing what your privacy policy needs to include can be confusing. If you’re questioning how to write a privacy policy, try using these four basic steps to get started.

  1. Identify which regulations you must comply with and any privacy commitments you make separate from regulatory requirements.
  2. Map the data you’re collecting – know that you receive it, where it is, who interacts with it, how it’s used, who you share it with, etc.
  3. Create an outline – Determine which sections you must include and which you can leave out.
  4. Use clear, easy-to-read language. Users should be able to clearly understand your processes for collecting, using, and protecting their data.

Topics to Cover in a Privacy Policy

Want to know how to write a privacy policy? Privacy policies will usually differ based on your industry, location, and applicable legal regulations. Nevertheless, there are common topics to cover in a privacy policy, including:

  • A scope of the policy
  • An introduction or description of your company
  • A list of the types of data you collect
  • A description of how you collect that data
  • A description of how you use that data (Do you share it with third parties? Do you use it for targeted marketing? Do you use it for product or service development? Do you use it to fix bugs or address data security concerns?)
  • A description of the length you will hold the data
  • A list and description of consumer rights, such as the right to opt-out and the right to deletion, and how to exercise those rights
  • Impact that consumer rights and choices will have on their ability to use services and products
  • Children’s privacy rights (Typically this addresses 13 and under)
  • A description of how updates to the privacy policy are made and how users will be notified if a change occurs
  • Ways to contact your organization

3 Privacy Policy Samples: Pros and Cons

While there are basic components that privacy policies need to address, it can still be confusing when it comes time to write the document. Let’s take a look at three privacy policy samples and evaluate what they do well and areas they can improve on.

Twitter

As one of the world’s largest and most-used social media sites, Twitter’s privacy policy is a great example of a comprehensive, yet understandable privacy policy. Using color coding, links, and highlighting, it is clearly laid out and easy to navigate. However, a major pitfall to this privacy policy is the length. Notice the scroll bar? This doesn’t make it so easy on the user to dig through and easily understand how Twitter is collecting, using, and protecting data.

Survey Monkey

Ensuring that consumers willingly give consent and opt-in to their data being collected is becoming more and more common – and required! Survey Monkey understands that, and it’s clearly demonstrated in their privacy policy. Like Twitter, they use color coding, links, and highlighting to help users navigate the policy. In addition to this, it’s brief – making the document more readable for users.

The Guardian

In many instances, organizations will be required to comply with multiple data privacy laws, like CCPA and GDPR. Sometimes, this means that businesses will need to create two separate policies; however, there are also times when it is appropriate to combine them, which is exactly what The Guardian has done.

Whether you’re just starting out developing your privacy policy, or you’re looking to revamp the one you currently have in place, KirkpatrickPrice is here to help. Still questioning how to write a privacy policy? Don’t just download some basic template online – utilize one of our experts to make sure you’re on the right track. Contact us today to get the process started.

More Privacy Policy Resources

Privacy Policies Built for GDPR Compliance

Privacy Policies Built for CCPA Compliance

Most Common Privacy Gaps

Breach Notification in New York: The SHIELD Act

On July 25, 2019, New York Governor Cuomo signed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act which amends the state’s breach notification law in order to “impose stronger obligations on businesses handling private data to provide proper notification to affected consumers when there is a security breach.” The breach notification amendments took effect in October 2019, while the data security requirements will take effect on March 21, 2020.

New York’s Commitment to Data Security, Privacy, and Breach Notification

As one of the technology epicenters of the world, there is a dire need for New York to position itself has a leader in data security, privacy, and breach notification. Over the last two years, we’ve seen New York make progress by placing a focus on cybersecurity via the Cyber NYC initiative and emphasizing vendor management and cybersecurity through the New York State Department of Financial Services Cybersecurity Requirements Regulation for Financial Services Companies Part 500 (NY CRR 500) of Title 23. But, New York’s data security, privacy, and breach notification laws have still fallen short considering the type of controls needed to secure businesses and the type of data privacy laws other states are working to implement. Considering this, the most recent move by Governor Cuomo to implement the New York SHIELD Act is a clear indication that New York is committed to establishing and enforcing protective measures for New York consumers’ private information.

What is the New York SHIELD Act?

Born out of the need for stricter breach notification laws, the SHIELD Act makes it a requirement that entities who collect, handle, use, or store the personal or private information of New York residents must have robust data security measures and must report breaches within a timely manner. Ultimately, according to the New York State Senate, the SHIELD Act has three main intentions:

  1. To broaden the scope of information covered under New York’s breach notification law and update requirements
  2. To broaden the definition of a data breach
  3. To require reasonable data security, provide standards tailored to the size of a business, and provide protections from liability for certain entities

How Does the SHIELD Act Impact Your Organization?

Similar to the California Consumer Privacy Act (CCPA), the New York SHIELD Act applies to “any person or business which […] owns or licenses computerized data which includes private information.” This means that businesses who have just one set of data from a New York resident or employee are privy to the requirements of the law. In other words, the SHIELD Act does not only apply to businesses who physically do businesses within the borders of New York – it is far-reaching and will likely have a nationwide and global impact.

How to Comply with the SHIELD Act?

The SHIELD Act requires that organizations, at a minimum, do the following:

Implement reasonable administrative safeguards

According to § 899-bb(2)(b)(ii)(A), organizations can do this by:

  • Designating one or more employees to coordinate the security program
  • Identifying reasonably foreseeable internal and external risks
  • Assessing the sufficiency of safeguards in place to control the identified risk
  • Training and managing employees in the security program practices and procedures
  • Verifying that the selection of service providers can maintain appropriate safeguards and requiring those safeguards by contract
  • Adjusting the security program in light of business changes or new circumstances
Establish reasonable technical safeguards

According to § 899-bb(2)(b)(ii)(B), organizations can do this by:

  • Assessing risks in network and software design
  • Assessing risks in information processing, transmission, and storage
  • Detecting, preventing, and responding to attacks or system failures
  • Regularly testing and monitoring the effectiveness of key controls, systems, and procedures
Create reasonable physical safeguards

According to § 899-bb(2)(b)(ii)(C), organizations can do this by:

  • Assessing risks of information storage and disposal
  • Detecting, preventing, and responding to intrusions
  • Protecting against unauthorized access to or use of private information during or after the collection, transportation, and destruction or disposal of the information
  • Disposing of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed

Cost of Non-Compliance

In today’s data-driven world, the cost of a data breach can be detrimental to a business, especially medium and small-sized businesses. If data security and privacy isn’t made a priority from the start, compliance and security issues may later be the downfall of a seemingly secure, successful company. When a data breach occurs, there are endless impacts to not only the entity that was hacked, but potential vendors, partners, and most importantly, the consumers. Because Governor Cuomo understood that adequate breach notification is such a vital part of breach recovery,  the SHIELD Act explains that if entities fail to comply, the New York State Attorney General can seek up to $250,000 for violations by a company.

Data breaches are only a matter of when not if they’ll occur, which means that it is imperative that organizations have a thorough breach notification strategy in place. But more often than not, organizations fail to do this and can incur costly fines and penalties for their negligence, like with Uber’s infamous data breach cover-up. Consumers have the right to know when their personal and private information has been compromised by malicious individuals, and businesses must be sure to ensure those rights are given. The SHIELD Act is one way New York is making sure this happens.

If your organization has to comply with the latest New York breach notification law or you’re in need of guidance for creating your own breach notification strategy, let’s find some time to talk!

More Data Security, Privacy, and Breach Notification Resources

Introducing the New York SHIELD Act

Breach Notification: Who, When, Why

Best Practices for Data Privacy

Trends in Privacy, Breach Notification, Data Security Legislation in 2019

CCPA Compliance and Your Marketing Team

CCPA Implications for Marketing

It’s no secret that digital marketing is undergoing a major transformation – one that is centered on giving consumers more autonomy over the way their personal information is collected, used, stored, sold, and transmitted. Last year, we saw how the EU’s General Data Protection Regulation changed the international landscape of marketing, and 2020 will be the year the US really feels the brunt of the data privacy revolution, starting with the California Consumer Protection Act (CCPA). What are the implications of the latest data privacy law to go into effect? What does CCPA mean for marketing? How can marketers prepare? Let’s find out.

How Can Marketers Prepare for CCPA?

Do you market or sell your products to California residents? Even if your business is not physically located within the borders of California, you are still required to comply with the new data privacy law as CCPA applies to any for-profit organization that meets any of the following criteria: has an annual gross revenues of over $25,000,000; buys, sells, or shares the personal information of 50,000+ consumers per year; or, derives 50% or more of their annual revenues from selling consumers’ personal information. This means that, for most organizations across the United States, there is an immediate tension between CCPA and  their marketing activities. Because today’s digital marketing landscape depends on the collection of personal information (i.e. names, emails, birthdays, phone numbers, Social Security Numbers, etc), marketers must make data privacy a priority. Here are some of the ways that marketers have gotten started on their CCPA compliance efforts.

  • Education: It’s hard to not see CCPA topics throughout webinars, blogs, infographics, white papers, videos, and social media. The experts are providing educational content to marketers. There’s no excuse not to learn and prepare for CCPA compliance.
  • Data Mapping: Data mapping is a critical area of data privacy. In order to ensure that the data you’ve collected is as secure as possible, you need to first know what data you’re collecting, why you’re collecting it, who interacts with the data, where it’s stored, and how it’s used, transmitted, and/or secured. Data mapping also gives you the opportunity to ensure your vendors, like email services, are also CCPA compliant.
  • Collecting Consent: When it comes to CCPA and marketing consent, entities must provide four easily accessible notices. According to the California Attorney General’s newly released regulations, organizations must provide a Notice at Collection of Personal Information, Notice of Right to Opt-Out of Sale of Personal Information, Notice of Financial Incentive, and Privacy Policy to consumers. This helps ensure that consent is affirmatively and freely given, and that consumers have been informed of their rights to access and erasure under CCPA.
  • List Cleaning: Data mapping and revising consent collection processes will help you create clean list; however, organizations must still work through cleaning the lists that they currently use. Organizations should evaluate how the data was collected, whether consent was freely given, and if the data is still being used and/or is necessary.

Benefits of Data Privacy and Compliance for Marketers

Although compliance may seem daunting right now, embracing data privacy regulations will prove to be fruitful for organizations in the long run. Why? Because when organizations demonstrate their compliance with data privacy laws, like CCPA, GPDR, or PIPEDA, they reap the following benefits:

  • Building customer trust is a difficult task in this day and age; digital consumers are fearful of unwanted follow-up, sales pitches, cold calls, and spam. CCPA compliance is an opportunity to present your organization as a secure and trustworthy service or source, and even has the potential to rebuild the trust that many digital consumers have lost. This trust may actually result in greater sharing of personal data.
  • Complying with CCPA pushes marketers to put the user experience first and demonstrate that you respect user preferences.
  • CCPA compliance gives marketers the opportunity to improve their data security as they engage with prospects and consumers.
  • Because email marketing strategies may need to be shifted for CCPA compliance, this gives marketers an opportunity to focus on areas that may not be so heavily impacted by GDPR, like social media, SEO strategies, and content creation.
  • CCPA compliance may bring a competitive advantage for two reasons. First, meeting CCPA compliance demonstrates to prospects and consumers that your organization prioritizes data security and user privacy. Second, once you’ve taken steps towards CCPA compliance, you can reduce the likelihood that your organization or your clients will face regulatory investigations and fines.

As a data-centric industry, marketing departments and agencies alike will have to swiftly adopt data privacy best practices, or they’ll be left in the dust. If your organization is just starting out on your CCPA compliance efforts or has questions about how your marketing practices need to evolve in order to become CCPA-compliant, contact us today to speak to one of our data privacy experts.

More CCPA Resources

5 Facts to Know About CCPA

Privacy Policies Built for CCPA Compliance

California Consumer Privacy Act vs. GDPR: What Your Business Needs to Know

CCPA Roadmap for Compliance

The California Consumer Privacy Act will go into effect on January 1, 2020, which gives organizations who have yet to start their compliance efforts less than three months to prepare for the enforcement of the new data privacy law. While ensuring compliance with a new legal requirement is never easy and is often stressful, we’ve come up with seven steps to follow that can act as a roadmap for CCPA compliance.

Preparing for CCPA: 7 Steps You Need to Follow

1. Determine Applicability

One of the major pitfalls that we saw around the enforcement deadline of the EU’s GDPR is that many organizations did not know if the law applied to them because of the ambiguous nature of the law. However, with CCPA, there are set guidelines that define who must comply with the law. Specifically, CCPA applies to for-profit businesses that do business in California, collect California consumers’ personal information, and that meet any of the criteria:

  • Have annual gross revenues of over $25,000,000
  • Buy, sell, or share the personal information of 50,000+ consumers per year
  • Derive 50% or more of their annual revenues from selling consumers’ personal information

If you’ve determined that CCPA does, in fact, apply to your organization, follow the next three steps.

2. Get Executive Support

Having an executive team on-board with compliance is absolutely critical. After all, if there isn’t a tone for compliance set at the top of the organization, why would anyone else think that compliance needs to be engrained in the company culture? Getting your executives on board with CCPA compliance will be the catalyst for ensuring that compliance efforts go smoothly, but it doesn’t stop there.Executives should be sure that they appoint a person or group of people to oversee compliance efforts – someone that fully understands the requirements of the law and can hold the organization accountable for maintaining compliance.  Also, executives need to give the person or group responsible for CCPA implementation the right kind and amount of resources necessary to pursue compliance. Examples of CCPA compliance resources include: data mapping tools, training, data rights software applications, compliance consulting, and time.

3. Review Data Collection and Retention Processes

When was the last time your organization evaluated the type of data you collect or why you’re even collecting it in the first place? Is the data you collect absolutely necessary for your marketing efforts? Does all of the data you collect fuel the services you provide? Are there any data sets that aren’t needed? Reviewing your data collection processes will help you identify areas of potential weakness – like having consumers’ personal information stored that doesn’t actually need to be there or collecting information that you don’t actually use – all of which could prevent you from complying with CCPA. To more efficiently review your data collection processes, we suggest data mapping, which includes asking and answering the following questions:

  • What personal information does your organization collect?
  • How does your organization collect that personal information?
  • Where and how is the personal information stored?
  • Where and to whom is the personal information shared?
  • How is the personal information transferred?

4. Update Your Privacy Policy

It’s not enough to have just a GDPR-compliant privacy policy; CCPA’s privacy disclosures include some unique and particularly precise requirements. To ensure CCPA compliance, then, you’ll need to update your privacy policy to make sure that it includes the following…

  • A description of the new rights afforded to California residents
  • A description of the methods for submitting a personal information or erasure request
  • A link to an opt-out page on your company’s website
  • A list of all of the categories of personal information that have been collecting within the past 12 months
  • The sources of each category of personal information
  • All of the purposes for using each category of collected information
  • A list of the categories of personal information sold in the past 12 months
  • A list of the categories of personal information disclosed for a business purpose in the past 12 months

5. Go Through a Gap Analysis

At KirkpatrickPrice, we always recommend that our clients go through a gap analysis before beginning an audit engagement. Why? Because a gap analysis provides insight into any operational, reporting, and compliance gaps that could hinder your CCPA compliance. A gap analysis is especially important with audits covering something as new as CCPA. Ultimately, a gap analysis asks and answers, “How is my organization doing compared to what’s required?”

6. Complete Remediation

After you’ve undergone a thorough gap analysis, you’ll have to remediate any and all findings before an audit can begin. At KirkpatrickPrice, we provide a Remediation Project Plan that consists of observed gaps, recommended remediation strategies, the required level of effort for remediation, and a remediation timeline. For example, one of your gaps might be that your organization does not currently have any contract that address data processing requirements under the provisions of CCPA (CCPA Section 1798.140(w)). A recommended remediation strategy would be to develop a policy that requires contracting whenever personal data is involved, which would require high-level effort over a 45-day period.

7. Go Through a CCPA Audit

Once you’ve completed the previous six steps, you’ll be ready to undergo a CCPA audit by partnering with a KirkpatrickPrice Privacy Expert to verify your compliance with the law.

At KirkpatrickPrice, we’re committed to helping our clients ensure the security of their data by partnering with you to achieve your challenging compliance goals – including conquering CCPA compliance. If your organization must comply with CCPA, let’s talk about how our Privacy Specialists can help you.

More CCPA Resources

Core Components of CCPA

Best Practices for Data Privacy

Privacy Policies Built for CCPA Compliance

California Consumer Privacy Act vs. GDPR: What Your Business Needs to Know

Amendments to TITEPA: Breach Notification and Privacy in Texas

Organizations are experiencing increasing commercial pressure from their business customers and individual consumers to provide timely, clear, and adequate breach notification. Now, organizations are facing increasing regulatory pressure to provide timely, clear, and adequate breach notification. One of the most recent regulatory changes apply to the Texas Identity Theft Enforcement and Protection Act (TITEPA). These changes create additional regulatory requirements and force businesses to disclose certain security breaches directly to the state which could lead to regulatory enforcement in response to the breaches.

What is TITEPA?

In March 2019, Texas legislators proposed two data privacy bills that enhance consumers’ data rights and require businesses to responsibly maintain personal information. One bill stalled and one has passed, HB 4390, which was intended to be a consumer privacy bill known as the Texas Privacy Protection Act. Instead, it updates the breach notification requirements in the TITEPA.

HB 4390 aims to protect personally identifiable information that poses privacy risks to consumers. This data could be anything from a Social Security number to cardholder security codes, unique biometric data, physical or mental health information, private communications of users that’s not publicly available, geolocation data, and unique genetic information. Wondering what constitutes a privacy risk under HB 4390? The bill state that a privacy risk is, “Any potential adverse consequences to an individual or society at large arising from the processing of personally identifying information.” These consequences could be financial loss, physical harm, psychological harm, reputational harm, discrimination, etc.

Failure to comply with TITEPA and its amendments will result in civil penalties. These updates to TITEPA took effect on September 3, 2019, with the exception of a few new amendments to take effect on January 1, 2020. Let’s discuss their impact to your organization.

3 Important Updates

The first amendment to HB 4390 requires that Texas residents must be notified of a data breach within 60 days of when the breach occurred. This amendment is significant because it gives a specific time period, instead of the vague, flexible requirement before it, which required businesses notified the impacted individuals “as quickly as possible.”

The second amendment stipulates that if a data breach impacts 250 or more Texas residents, then the business that experienced the breach must provide notice to the Texas Attorney General within the same 60-day notification period of Texas residents. This regulatory notification provides oversight and accountability, and must include a detailed description of the data breach, plus information about how many Texas residents were impacted, steps taken so far to contain the breach in the present and future, and if law enforcement has been notified.

Both of these amendments highlight the importance of an incident response plan. If your organization doesn’t know what to do in the face of a data breach, how can you expect to give proper breach notification to impacted individuals and the Attorney General?

HB 4390 also establishes the Texas Privacy Protection Advisory Council, which will study data security laws to prepare recommendations for changes to the Texas Legislature by September 2020, prior to the legislative session beginning in January 2021. The updates to HB 4390 stipulate who will make up the council and how they will be appointed.

Is Privacy Legislation Coming to Texas?

Because HB 4390 is an update to TITEPA instead of the Texas Privacy Protection Act, we’ll still be waiting to see if comprehensive privacy legislation is passed in Texas in the near future. The passage of HB 4390 is a win, though, for making updates to the state’s breached notification law and establishing the Texas Privacy Protection Advisory Council. The recommendations found by the Council (and reported in September 2020) will likely for the basis for privacy legislation in the future – maybe even when the Texas Legislature session begins in January 20201.

Does HB 4390 Apply to You?

HB 4390 applies to businesses who do business in Texas, have more than 50 employees, and collects personal information of more than 5,000 individuals, households, or devices. The applicability of HB 4390 also depends on if the business has an annual gross revenue that exceeds $25 million or derives more than 50% of their annual revenue from processing personal information.

If you complete an audit with us, our auditors are trained to determine if state laws like these apply to your organization and impact your compliance. You may be in compliance and not know it, or you may have some gaps to close before you’re fully there. Hiring an auditing firm that shows you the full scope of your compliance obligations is crucial to becoming a security-conscious organization.

Ready to partner with an auditor who provides you with clear, comprehensive guidance? Let’s talk.

More Privacy and Breach Notification Resources

CCPA vs. GDPR: What Your Business Needs to Know

Preparation and Impact of PIPEDA

Best Practices for Data Privacy