Biglaw, Sponsored Content

Drafting a Privacy Notice Checklist Practical Law Intellectual Property & Technology

This Checklist outlining key steps to take when drafting a privacy notice, also known as a privacy policy, statement, or disclosure. It highlights important benchmarks in developing a privacy notice, including applicable law and guidance, the proper format and approach, and post-publication considerations.

By Thomson Reuters  
on

Checklist 9-12-16This Checklist outlining key steps to take when drafting a privacy notice, also known as a privacy policy, statement, or disclosure. It highlights important benchmarks in developing a privacy notice, including applicable law and guidance, the proper format and approach, and post-publication considerations.

Understand How the Business Collects and Uses PII

Accurately disclosing a company’s PII practices first requires a full understanding of how the business collects, uses, shares, transfers, and stores PII. To do this:

  • Engage key employees who know how the business collects, stores, uses, and discloses PII to help develop and review a PII data map documenting:
    • the type of PII the business collects;
    • the people the business collects PII from, including where they reside;
    • how the business collects, uses, and shares PII;
    • why the business collects, uses, and shares PII;
    • the parties given access to PII, including all third-party service providers;
    • geographic locations where the business collects or stores PII;
    • the electronic systems that handle PII and the people responsible for those systems;
    • the PII data flows, including data transfer, sharing, storage, and exit points;
    • how long the business retains PII;
    • the security controls and safeguards deployed to protect PII; and
    • any future or anticipated PII collection or use needs.
  • Consider that key employees with relevant information may sit in:
    • operations;
    • human resources;
    • records and information management;
    • information technology;
    • marketing;
    • webpage design;
    • product development; or
    • legal.
  • Identify any collection or use of PII that may require special handling or additional disclosures, including:
    • precise geo-location;
    • biometrics;
    • information from or about children;
    • sensitive data, such as health or financial information;
    • any potential uses that are unrelated to or different from the original reason PII was collected;
    • individualized profiles or tracking of individualized activity;
    • online behavioral advertising (OBA), interest-based advertising (IBA), or similar advertising and marketing techniques; and
    • if and how the business’s websites respond to web browser Do Not Track (DNT) signals.
  • Review and understand how the technology employed to collect, store, process, use, control, access, and share PII works.
  • Identify any automated PII collection that may not be obvious to consumers, including:
    • electronic communication protocols;
    • cookies, flash cookies, pixel tags, or web beacons;
    • technologies used to track individual activity over time;
    • GPS; or
    • sensors.
  • Identify any privacy-related opt-out methods or other choice mechanisms and understand exactly how they work.

Determine Legal Requirements

The US does not have an overarching federal law setting privacy notice requirements or standards for all businesses. However, before drafting a privacy notice, businesses should consider:

  • Federal Trade Commission (FTC) guidance.
  • Relevant state law and guidance.
  • Sector-specific laws and self-regulatory guidance applicable to specific industries or activities.
  • Foreign laws.

Sponsored

Decide What Approach and Format the Notice Must Take

  • Based on the factual investigation results, choose the best privacy notice approach and format to fit the business’s needs. For example, consider a:
    • unified notice addressing all aspects of the business’s PII use in one document for uncomplicated businesses following one clear set of PII handling practices;
    • specific notice addressing a clearly defined subset of operations for complex businesses with diverse operations or businesses that need to call out particular privacy practices;
    • long-form or singular format for simple notices capable of clear presentation in one document;
    • layered format dividing the notice into segments for complex documents that can benefit from simplification or summarization;
    • just-in-time format for practices requiring a specific notice at the exact time the business collects PII; and
    • privacy center or centralized privacy setting to highlight consumers’ PII-related choices.
  • Consider sector-specific format requirements or standards. For more on:
    • GLBA format requirements; and
    • HIPAA format requirements.
  • Consider the different types of privacy notices the business may need, including, for example, notices specific to employees, web sites, mobile applications, or retail collection points. For a sample:
    • website privacy notice; and
    • mobile application privacy notice.

Draft the Privacy Notice

  • Keep the notice simple and straightforward: Say what you do and do what you say.
  • Write the notice in plain and clear English so that the reader can clearly understand it.
  • Include sections that disclose the following:
    • the notice’s scope and introductory statements;
    • what types of PII the business collects;
    • how the business collects, uses, and shares PII;
    • sector or geographic-specific disclosures;
    • individual choice, opt-out, or access mechanisms provided;
    • data security standards or practices followed;
    • revisions and updates to the notice; and
    • contact information and how to register complaints.
  • Clearly frame the notice’s scope by specifically identifying what it does and does not cover.
  • Specifically call out any:
    • sensitive data the business collects, stores, uses, or shares;
    • data uses or collections that may not be obvious or clear to the individual based on normal business interactions;
    • automated collection technologies employed; or
    • profiling or tracking of individual activity across devices or websites.
  • Clearly describe when and why PII may be provided to third parties, along with any restrictions or requirements the business places on those third parties.
  • Disclose other different, but important, PII uses and disclosures, such as to comply with court orders or legal requirements, defend the business, protect employees, or support mergers and acquisitions activities.
  • Include all required federal or state disclosures.
  • Provide effective consumer choice mechanisms for certain PII uses, particularly for marketing activities.
  • Clearly identify the notice’s effective date and the best method of contacting the company with complaints, concerns, or questions.
  • Clearly describe the process for communicating any future changes to the privacy notice.
  • Review the draft notice with key stakeholders to ensure it accurately reflects the business’s current and anticipated PII handling practices, including:
    • senior management;
    • business and technical employees responsible for PII policies and procedures;
    • operating units responsible for controlling PII collection, access, and use;
    • information technology groups responsible for PII security; and
    • legal counsel.
  • Engage others without technical, legal, or privacy backgrounds to review the draft notice to identify readability issues or descriptions requiring clarification.
  • Test any opt-out methods or other choice mechanisms described in the notice to ensure they work exactly as described.

Publish the Privacy Notice

Sponsored

  • Use publication and delivery methods that provide individuals with real and timely notice of the business’s privacy practices when they are deciding what information they should share, including:
    • online or website posting, with links provided wherever PII is collected;
    • email or other electronic means; and
    • postal delivery.
  • Let the context of the consumer interaction determine the best privacy notice communication method.
  • Consider any legal requirements around delivery. For example, GLBA, HIPAA, COPPA, and certain state statutes, set specific delivery requirements for their notices. For more information on statutes requiring specific delivery formats.
  • Clearly and conspicuously label the notice so it is easy for consumers to locate.

Post-Publication Considerations

  • Ensure employees are aware of the privacy notice statements and obligations when acting on behalf of the business.
  • Require employees to:
    • regularly read and acknowledge the privacy notice, similar to other important corporate polices;
    • attend privacy notice training courses, with additional training tailored for specific job functions; and
    • conduct a privacy notice review before implementing new technologies or changing current processes.
  • Establish policies and procedures for regularly reviewing privacy notices to:
    • audit the business’s compliance with the stated privacy notice;
    • test any individual opt-out or choice mechanisms to ensure they are working as expected; and
    • keep the notice up-to-date as changes in applicable privacy laws or PII-handling practices occur.
  • Implement effective procedures and technology to ensure compliance with privacy notice statements or individual opt-out requests.
  • Consider establishing a “privacy by design” program as part of the business’s product and development process.
  • Provide adequate notice of privacy policy revisions:
    • giving notice using the same method used for the initial privacy notice delivery;
    • prompting consumers to view the new notice on a website by posting a banner or other conspicuous notice;
    • alerting consumers of the new notice the first time they log into a website after the new notice has been posted; and
    • obtaining express consent for any new notice terms that are material retroactive changes, such as sharing PII with third parties after committing at the time of collection not to share that information.
  • If the business cannot obtain proper consents for material retroactive changes, implement procedures to segregate PII based on the various permitted uses.

Summary of Best Practices for Drafting Privacy Notices

  • Write the notice in plain and clear English and so that the reader can clearly understand it.
  • Understand how the business uses PII and relevant technology.
  • Tailor the notice to the business’s specific needs and structure.
  • Do not use a template approach that ignores the business’s actual practices.
  • Consult FTC, state laws, and other regulations or industry guidelines that provide minimum standards and best practices for data collection and use.
  • Do not collect sensitive PII unless it is absolutely necessary. If collecting sensitive PII is necessary, clarify why and include an explanation of how the business protects the data.
  • Allow consumers and others a cost-free way to opt out of the business using or maintaining their PII.
  • Make the notice easy to find and accessible.
  • Update the notice regularly to reflect changes and communicate changes to consumers.
  • Always include the notice’s effective date and retain copies of past versions.
  • Clearly communicate how consumers can contact the business with questions or concerns regarding the privacy notice and practices.
  • Ensure the privacy notice matches actual business practices and train employees.
  • Consider joining a well-respected privacy certification program to improve accountability and credibility.

For the full article complete with links to helpful ready-made resources on related topics, visit the Practical Law Checklist, “Drafting a Privacy Notice”, today!

***

 Practical Law provides legal know-how that gives lawyers a better starting point.  Our expert team of attorney editors creates and maintains thousands of practical resources across all major practice areas.  We go beyond primary law and traditional legal research to allow you to practice more efficiently and improve client service. Request your free trial today >>

Topics