- Stay in compliance with major data privacy regulations like the CCPA/CPRA and GDPR
- Demonstrate to your users that you respect their privacy and will treat their data responsibly
- Reduce your risk exposure in the event of a data breach or lawsuit
- Demonstrate to third parties that you meet their data privacy standards and are therefore a reliable partner
Here’s what to know first
You know that building trust with current and potential clients is paramount to building your business. You also understand that collecting data is imperative while building relationships. Privacy policies can help you build trust while achieving compliance with the authorities.
This approach, however, could be short-sighted. Once you have customers, users, or data subjects in any of those jurisdictions and meet the applicability requirements — even if your business isn’t located within them — then you are still beholden to those regulations. So, it makes sense for you to plan ahead.
Fortunately, most regulations have significant overlap. When in doubt, adhere to the GDPR and the CCPA/CPRA, as these are broadly considered to be the gold standard of data privacy regulations.
Under the GDPR, a DPO is required if you process sensitive data on a large scale or monitor individuals on a large scale. Hospitals, security companies, and the like are good examples of organizations that need a DPO. For more specifics on the GDPR DPO requirement, see Article 37 of GDPR. Even if you don’t meet those requirements, keeping a dedicated privacy professional on staff isn’t a bad idea.
2. The categories of data you collectYou’ll want to describe the categories of personal information collected, sold, shared, and disclosed within the preceding 12 months as well as details on what types of personal information you collect from users. This could include, for example:
- Personal identifiers, such as names, email addresses, identification numbers, and the like
- Geolocation data
- Demographic data, such as race, gender identity, age, and the like
- Internet activity data
- And more
Different regulations have different categories of data that you should disclose. When in doubt, try to follow the CPRA’s guidance, which requires that categories of collected data must be “described in a manner that provides consumers a meaningful understanding of the information being collected.”
Additionally, it’s a good idea to disclose that you do not collect the personal information of minors, if that’s the case. If you do collect the personal information of minors, you should seek legal counsel’s help in making sure you are handling that data and the disclosure properly.
3. The sources of the data or how you collect dataYou will need to describe how you collect or source data, including a description of the categories of sources. While you likely collect some information from the user directly, it’s possible you collected information from a third party, such as a government database, internet service providers, advertising networks, and so on.
4. The purpose of data collectionWhat do you intend to do with your users’ data? It could be for fraud prevention, a better customer experience, marketing purposes, or any other reasonable use case for user data. Furthermore, it’s a good idea to delineate the purpose behind each category of personal information that you listed in item two of this list. If you don’t have a good reason to collect a given category of data, then most data privacy regulations require you to not collect it at all.
Note that if you intend to use personal information for targeted advertising, many regulations require you to clearly and conspicuously disclose that fact, as well as the fact that the consumer can opt out of this processing.
In addition, most major privacy laws require that you disclose whether consumer data will be used in automated decision-making processes, how consumer data impacts this decision-making, the associated results and consequences, and the users’ right to opt out of that decision-making. Often, these automated processes can include an element of bias, a reality that these laws try to mitigate with this requirement.
5. The legal basis of data collectionYou’ll also want to take note of your legal basis behind data collection. The GDPR, for instance, lists out the following as acceptable legal bases for collection:
- User consent (which is the most common basis used today)
- A contractual obligation
- A legal obligation requiring your organization to process user data (e.g., a lawsuit or subpoena issued by a governmental entity.)
- Vital interest; that is, that processing the user’s data is necessary to preserve life, safeguard fundamental rights, support humanitarian emergencies, and other select circumstances.
- Public interest
- A legitimate interest in processing the user’s data (another commonly used basis, though you’ll need to disclose the nature of your legitimate interest)
6. The consumer’s rightsMake sure you clearly describe the rights the user (or data subject) you are collecting data from possesses and how they can exercise these rights.
These can vary from regulation to regulation, but generally, data subjects have:
- The right to access personal information
- The right to rectify incorrect personal information
- The right to object to the processing of personal information
- The right to withdraw consent to the processing of personal information
- The right to lodge a complaint with a supervisory authority (which varies depending on where the data collection occurs)
- The right to appeal a business’s decision with regard to a data subject’s request
- And more depending on your and your users’ location
If possible, provide the specific details of the recipient. Under the CCPA/CPRA, you also have to inform your users about which categories of recipients you sell their data to or share their data with (e.g., suppliers, credit reference agencies, government departments).
8. Whether the data will be transferred across borders and howTransferring data into another country or state can expose your users’ data to greater risk. If you operate out of California or the EU, for instance, and transfer data to a jurisdiction with less robust data protection laws, the recipient may treat your users’ data with less than the respect it deserves.
However, it’s possible to establish safeguards to enable a compliant data transfer. Typically, this takes the form of a contractual agreement (specifically, the GDPR’s Standard Contractual Clauses) between your organization and the receiving party affirming that they will treat your users’ data to the same standards as yourself.
9. Whether data collection is voluntary or mandatoryIndicate what categories of data that you collect are required or are optional. If your users decline to share data that would be useful for marketing and analytics purposes, they can still use your website, make a purchase, use your app, or engage in whatever other activity serves as the focal point of your relationship. On the other hand, if you operate an e-commerce business and they refuse to share their address with you, you won’t be able to ship them the products they order. Depending on the nature of your organization, the type of data that needs to be collected in order to serve your users will vary.
10. Your data retention policiesHow long do you intend to retain the different categories of your users’ data? If you’re uncertain about the exact answer, under what circumstances will you no longer need a user’s data? Explain what criteria you will use to determine when you’ll delete that data.
12. Your financial incentive programsIf you provide a financial incentive, a price difference, or a service level difference based on a user’s data choices, you have to include what’s called a “Notice of Financial Incentive” under the CCPA/CPRA. This disclosure needs to contain:
- A brief summary of the program
- A detailed description of the program
- Info on how the consumer can opt in
- A right of withdrawal
- An explanation of the value provided by the program
13. How you will communicate changes to your policyAs your organization evolves and laws change, your policies will too. Tell consumers how you’ll let them know about future changes to your data management plan.
- Providing data subjects an easy way to make access requests and exercise their rights
- Discovering the personal data relevant to a data subject, ensuring you can quickly respond to their requests and respect their rights
- Assessing the data practices of over 14,000 vendors, enabling you to partner and share user data with only those vendors that meet your standards