Privacy Impact Assessment Guide: 7 Best Practices to Master PIAs
One of data privacy’s greatest challenges is that it can all feel...Read Now
July 25, 2023
What if your city no longer had to put up speed limit signs? The police would still know what the speed limit was on a given stretch of road, but drivers would just have to guess. If you got a ticket for speeding, you’d feel like you’d been taken advantage of, wouldn’t you?
For consumers who discover their personal data has been collected, processed, sold, transferred, or otherwise mucked around with without their knowledge or consent, the feeling is similar. To increase trust and transparency, modern businesses are required to provide privacy notices to their audience. Consumers expect to be informed about the collection, use, sharing, and protection of their data—and a privacy notice is the number one way to deliver that information.
This article will explore the concept of a privacy notice, its legal aspects, components, and its role in protecting your data.
Before delving into the details, let's start by defining what a privacy notice is, some best practices associated with their creation, and why they matter.
When creating a privacy notice, organizations must ensure that it is written in clear and understandable language, avoiding complex legal jargon. The point of a privacy notice is to inform after all, and if it’s written in an overly technical fashion, it won’t do much informing.
Furthermore, privacy notices should be easily accessible to individuals. They are commonly found on an organization's website or mobile application, often linked in the footer or navigation menu. This accessibility ensures that individuals can easily refer to the privacy notice whenever they have questions or concerns about their data.
Privacy notices play a vital role in protecting individuals' privacy rights and enabling them to exercise those rights. First and foremost, they empower individuals by providing them with essential information about how their data will be used. Without this knowledge, individuals would be left in the dark, unaware of what happens to their personal information once it is shared.
These rights, which may vary depending on the jurisdiction, often include the right to access, rectify, and delete personal information. By clearly outlining these rights in the privacy notice, organizations ensure that individuals are aware of their rights and can easily exercise them.
By being open and transparent about their data practices, organizations can foster a sense of trust and confidence among their users. This trust is essential in today's data-driven society, where people are increasingly concerned about how their data is being used and shared. In fact, the same IAPP research identified that 68% of consumers are either somewhat or very concerned about their online privacy.
Article 13 of the GDPR lays out requirements for “information to be provided where personal data are collected from the data subject.” It doesn’t explicitly mention a privacy notice or policy, but notices are the easiest and most common way to provide the information required by the GDPR.
The GDPR sets out specific requirements to ensure individuals are fully informed about how their personal data will be handled. In addition to providing information about data processing activities, privacy notices must also inform individuals about their rights under the GDPR, such as the right to access their data, the right to rectify inaccuracies, and the right to erasure.
Furthermore, privacy notices must inform individuals about the legal basis for processing their data. The GDPR provides several legal bases for processing, including:
Organizations must ensure that their privacy notices are up to date and reflect any changes in their data processing practices. If there are any material changes to how personal data is processed, organizations must inform individuals and obtain their consent if required.
Among other state laws in the United States, the CCPA/CPRA grants California residents certain rights regarding their personal information, including the right to know what personal information is collected about them and the right to opt-out of the sale of their personal information. Organizations that fall under the scope of the CCPA/CPRA must provide privacy notices that comply with the requirements of the law.
The GDPR and CCPA/CPRA are far from the only laws with privacy notice requirements, but they do cover two of the largest jurisdictions that a business might be operating within. Any modern data privacy law is going to have some sort of requirement around privacy notices, however.
Besides the GDPR, many countries and regions have enacted their own privacy laws and regulations. These laws may impose additional requirements on organizations, such as mandatory data breach notification or specific consent mechanisms. It is essential for organizations to be aware of and comply with the relevant laws in the jurisdictions where they operate.
Similarly, in Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) sets out rules for the collection, use, and disclosure of personal information by private sector organizations. Organizations subject to PIPEDA must have privacy policies that outline their information handling practices and provide individuals with information about their rights and how to exercise them.
There are also numerous other U.S. state laws, like the Connecticut Data Privacy Act, Colorado Privacy Act, and many others; Brazil’s Lei Geral de Proteção de Dados Pessoais, or LGPD; China's Personal Information Protection Act; and many, many more laws each year.
This section of the privacy notice explains what types of personal data are collected and how the organization uses that data. It should include details such as the purpose for collecting the data, the legal basis for processing it, and any specific uses that individuals should be aware of.
For example, if you are signing up for a newsletter, the organization may collect your name, email address, and preferences. (By the way, have we mentioned Osano’s own excellent newsletter, The Privacy Insider?)
This information is used to personalize the newsletters and send them to the right recipients. The legal basis for processing this data may be your consent, which you provide when you subscribe to the newsletter.
In addition to personalizing newsletters, the organization may also use the collected data to analyze trends and improve their services. This helps them understand their audience better and tailor their content to meet their subscribers' needs.
In this section, the organization should disclose whether it shares personal data with any third parties and the purpose of such sharing. It is essential to be transparent about any sharing practices and ensure that individuals understand the potential risks involved.
Let’s consider this information in the context of the hypothetical scenario in which you signed up for an organization’s newsletter. The organization may share personal data with a third-party email marketing service to send out newsletters on their behalf. This ensures efficient delivery and tracking of emails. The purpose of sharing this data is solely for the distribution of newsletters and does not involve any other use or disclosure.
Furthermore, the organization may also share personal data with law enforcement agencies or other authorities if required by law or to protect their legal rights. This is done in compliance with applicable regulations and ensures the safety and security of individuals' data.
Data retention and protection are critical considerations in any privacy notice. This section explains how long the organization retains personal data and the measures in place to protect it from unauthorized access, loss, or destruction. It may also outline individuals' rights regarding the deletion or correction of their data.
Typically, the organization will retain personal data for as long as necessary to fulfill the purposes for which it was collected. So, in the context of the newsletter example, your email address and other personal data may be retained until you unsubscribe or request its deletion.
To ensure the security of personal data, the organization will implement various technical and organizational measures. These may include encryption, access controls, regular backups, and staff training on data protection practices. By adopting these measures, the organization aims to minimize the risk of data breaches and unauthorized access to personal information.
You may be legally required to provide a privacy notice, and it may improve your customers’ trust in your organization, but the real purpose of a privacy notice is to protect customer data—and, in turn, your brand reputation. Here’s how.
Privacy notices provide individuals with the transparency they need to make informed decisions about their data. By clearly outlining data practices, individuals can exercise greater control over what information they share and how it is used. This transparency helps to mitigate the risk of data misuse and enables individuals to hold organizations accountable for their data practices.
Data breaches can have serious consequences for both individuals and organizations. A well-drafted privacy notice should include information on the security measures in place to protect personal data. By being aware of these measures, individuals can assess the level of risk associated with sharing their data and make informed decisions accordingly.
What’s more, Osano research identified that companies whose privacy policies lacked detail into their privacy practices were nearly twice as likely to suffer a data breach than companies whose policies described excellent and robust practices.
The most essential aspect of a privacy notice is that it has to actually describe what your organization does. Upon crafting their first privacy notice, many organizations become aware of compliance activities they need to complete in order to meet the standards their notice sets. Thus, the act of building a privacy notice can prompt you to consider and improve upon data privacy practices at your organization.
Privacy notices are a critical document that plays a vital role in protecting your customers’ personal data. By understanding the concept, legal aspects, and components of a privacy notice, you will be better equipped to protect your customers’ data and stay compliant.
Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.