Data Mapping: Frequently Asked Questions
Most people find data privacy compliance to be complicated enough....Read Now
January 27, 2021
While privacy policies have a reputation as verbose, multi-page documents full of legalese which the layman has neither the legal degree nor patience to digest, they're changing.
In 2016, the EU enacted the General Data Protection Regulation (GDPR), which is seen as the gold standard in privacy law globally. And then the rest of the world started to follow suit. Since the EU GDPR passed, countries including Brazil, China, India, Canada, and others have passed or are in the process of passing similar privacy laws. Many U.S. states have passed their own data privacy laws too, like the California Privacy Rights Act (CPRA) and the Texas Data Privacy and Security Act (TDPSA).
While the GDPR requires companies collecting data to publish privacy policies, in the U.S., they're mandated by state, local, and industry-specific regulations, given that the country still doesn't have a federal privacy law.
It comes down to this: Do what you say, and say what you do.
For one, it helps you define a framework for your privacy program. Having to sit down and explicitly state how you handle personal data at your organization forces you to think about what you actually do with that data and what you actually should be doing.
That's according to Dennis Dayman, chief privacy officer at Maropost, a cloud-based marketing platform, who has been helping companies with their data privacy for 25 years. He's written his fair share of privacy policies and read far more of them.
"That's probably the biggest thing I run into these days is people trying to try and copy and paste policies as their own," Dayman said. "They just say, 'I'm gonna grab this as a beginning template.’ But it doesn't necessarily have the same data collection practices as the company they copied it from."
It's important to know your specific data collection practices before publishing a policy designed to articulate what you do with customer data.
Catherine Dawson, a privacy attorney, said she often sees the same misstep.
But potentially the greatest challenge companies face is telling users how their data is treated in a way that both makes sense to the user and still protects the company against potential litigation.
That can be difficult, but Dayman thinks about it simply.
"I always talk about applying the grandmother test," Dayman said. "I come from the digital marketing side of things when it comes to the use of data. "Would you do this to your grandmother? Would you collect this data and use it the way you want to on your grandmother? Privacy has to be as hyper-transparent for your grandmother to use as well. You've got to be very careful in drafting that."
A great way to ensure the text is accessible to the average person, Dayman recommends recruiting people from your organization and asking them to read the policy. Does it make sense to them? Is it filled with legal and technical jargon that only a lawyer could understand?
Dayman recommends keeping it simple. If you're using words like "jurisdiction" or "precedence," you might be taking the wrong approach.
"Those are really nice words to use from a legal perspective, but find other ways to say that if you can," he said.
Dawson agreed but said there's a reason people fall back to legal jargon sometimes, especially if the company relies heavily on third-party data and vendors.
"It can be hard for people to articulate clearly how their data is shared with third parties," Dawson said. "It's not that folks are trying to hide the ball, but more that the online advertising ecosystem is complex. It can be challenging to describe accurately and clearly how the data you collect flows through that ecosystem and how it is combined with other data."
Daymen said it's best to have a top-down mentality. Aim to get buy-in from your CEO and the board, if possible. "Getting buy-in from executives and those who make decisions about the company is highly important," he said.
But it's also important to pull in various business groups who might not seem obvious. The IT, engineering, and sales teams all touch and use customer data at some point, so it makes sense that they should provide input on the policy or at least review a draft to ensure what's being conveyed about company practices matches how their department actually uses data.
"You don't always know what the engineering team is doing with the data. Sometimes they have to use data to test systems, and you have to figure out whether you have to make a statement (about that in your policy)," Dayman said.
The bottom line, said Dawson, is to roll up your sleeves and fully understand all of your company’s data practices. If you get the fundamentals wrong, your policy will fall short. Be as straightforward as you can in your descriptions of those practices and then ensure the rest of the organization doesn’t deviate from those descriptions.
The Osano staff is a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet. Occasionally, the team writes under the pen name of our mascot, “Penny, the Privacy Pro.”