Data Mapping: Frequently Asked Questions
Most people find data privacy compliance to be complicated enough....Read Now
June 1, 2022
You know that building trust with current and potential clients is paramount to building your business. You also understand that collecting data is imperative while building relationships. Privacy policies can help you build trust while achieving compliance with the authorities.
This approach, however, could be short-sighted. Once you have customers, users, or data subjects in any of those jurisdictions and meet the applicability requirements — even if your business isn’t located within them — then you are still beholden to those regulations. So, it makes sense for you to plan ahead.
Fortunately, most regulations have significant overlap. When in doubt, adhere to the GDPR and the CCPA/CPRA, as these are broadly considered to be the gold standard of data privacy regulations.
Under the GDPR, a DPO is required if you process sensitive data on a large scale or monitor individuals on a large scale. Hospitals, security companies, and the like are good examples of organizations that need a DPO. For more specifics on the GDPR DPO requirement, see Article 37 of GDPR. Even if you don’t meet those requirements, keeping a dedicated privacy professional on staff isn’t a bad idea.
You’ll want to describe the categories of personal information collected, sold, shared, and disclosed within the preceding 12 months as well as details on what types of personal information you collect from users. This could include, for example:
Different regulations have different categories of data that you should disclose. When in doubt, try to follow the CPRA’s guidance, which requires that categories of collected data must be “described in a manner that provides consumers a meaningful understanding of the information being collected.”
Additionally, it’s a good idea to disclose that you do not collect the personal information of minors, if that’s the case. If you do collect the personal information of minors, you should seek legal counsel’s help in making sure you are handling that data and the disclosure properly.
You will need to describe how you collect or source data, including a description of the categories of sources. While you likely collect some information from the user directly, it’s possible you collected information from a third party, such as a government database, internet service providers, advertising networks, and so on.
What do you intend to do with your users’ data? It could be for fraud prevention, a better customer experience, marketing purposes, or any other reasonable use case for user data. Furthermore, it’s a good idea to delineate the purpose behind each category of personal information that you listed in item two of this list. If you don’t have a good reason to collect a given category of data, then most data privacy regulations require you to not collect it at all.
Note that if you intend to use personal information for targeted advertising, many regulations require you to clearly and conspicuously disclose that fact, as well as the fact that the consumer can opt out of this processing.
In addition, most major privacy laws require that you disclose whether consumer data will be used in automated decision-making processes, how consumer data impacts this decision-making, the associated results and consequences, and the users’ right to opt out of that decision-making. Often, these automated processes can include an element of bias, a reality that these laws try to mitigate with this requirement.
You’ll also want to take note of your legal basis behind data collection. The GDPR, for instance, lists out the following as acceptable legal bases for collection:
Make sure you clearly describe the rights the user (or data subject) you are collecting data from possesses and how they can exercise these rights.
These can vary from regulation to regulation, but generally, data subjects have:
If possible, provide the specific details of the recipient. Under the CCPA/CPRA, you also have to inform your users about which categories of recipients you sell their data to or share their data with (e.g., suppliers, credit reference agencies, government departments).
Transferring data into another country or state can expose your users’ data to greater risk. If you operate out of California or the EU, for instance, and transfer data to a jurisdiction with less robust data protection laws, the recipient may treat your users’ data with less than the respect it deserves.
However, it’s possible to establish safeguards to enable a compliant data transfer. Typically, this takes the form of a contractual agreement (specifically, the GDPR’s Standard Contractual Clauses) between your organization and the receiving party affirming that they will treat your users’ data to the same standards as yourself.
Indicate what categories of data that you collect are required or are optional. If your users decline to share data that would be useful for marketing and analytics purposes, they can still use your website, make a purchase, use your app, or engage in whatever other activity serves as the focal point of your relationship. On the other hand, if you operate an e-commerce business and they refuse to share their address with you, you won’t be able to ship them the products they order. Depending on the nature of your organization, the type of data that needs to be collected in order to serve your users will vary.
How long do you intend to retain the different categories of your users’ data? If you’re uncertain about the exact answer, under what circumstances will you no longer need a user’s data? Explain what criteria you will use to determine when you’ll delete that data.
If you provide a financial incentive, a price difference, or a service level difference based on a user’s data choices, you have to include what’s called a “Notice of Financial Incentive” under the CCPA/CPRA. This disclosure needs to contain:
As your organization evolves and laws change, your policies will too. Tell consumers how you’ll let them know about future changes to your data management plan.
The Osano staff is a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet. Occasionally, the team writes under the pen name of our mascot, “Penny, the Privacy Pro.”