Providing transparent notice to individuals as to how their data is being used is a core requirement under many privacy laws. In honor of the recently-celebrated Data Privacy Week, I am sharing my Top 10 Privacy Notice Tips for developing a privacy notice and how you can follow them.
1. Create your own privacy policy.
Do not simply copy the privacy notice of a competitor and use it as your own. To minimize liability, your privacy notice must accurately reflect your business’s practices and obligations to its consumers.
2. Disclose data practices that an individual would find material and ensure that your privacy notice is accurate.
The Federal Trade Commission Act (FTC Act) prohibits unfair and/or deceptive trade practices. A business must disclose material data practices (such as how data is collected, used, and shared) in its privacy notice. Similarly, you must ensure that your privacy notice is accurate. Failing to disclose material data practices in your privacy notice and/or having an inaccurate privacy notice may constitute an unfair and/or deceptive trade practice under the FTC Act (and state analogs). Penalties for these practices can be significant.
3. Ask questions.
Ask questions internally to understand what provisions need to be included in your privacy notice. Various laws require different, and sometimes highly specific, disclosures. At a minimum, find out what data you are collecting, how you are collecting it, for what purposes you are using it, and to whom you are disclosing it.
4. Never over-promise.
Do not commit to obligations with which your business cannot (or may not wish to) comply. For example, do not include a blanket statement stating that you will never share data with anyone if data is accessible to vendors (such as hosting providers) or if you want to retain the option to share the data with a third party, such as in the context of a merger or acquisition.
5. Broadly assess all data practices.
Ensure that the privacy notice accurately reflects the data practices of all constituencies within your business. Different departments may collect, use, or share data in different ways.
6. Ensure that different data classes are covered by appropriate privacy notices.
Certain types of data may be regulated differently (or handled differently by the business). Your business may need multiple privacy notices in order to accurately cover its varied data practices. As an example, it may be preferable to address how a business handles employee data in a separate employee privacy notice, rather than address employee data practices in a general website privacy notice.
7. Consider third-party services.
A business may need to include in its privacy notice provisions required by its contracts for third-party services. Read the relevant contracts or terms governing third-party services your business receives to ensure that you are aware of, and comply with, such requirements.
8. Unless required, exercise caution before covering data over which your business is solely a “processor” – or be clear about your processor role.
With certain exceptions, most privacy laws impose privacy notice requirements on controllers. (As used here, a controller would be the entity that determines purposes and means of processing data; a processor would be an entity that handles data solely at the direction of another entity.) Covering data over which your business is solely a processor may muddle your role and cause confusion in the market or with your customers. If your business is required to make available a privacy notice for data that it handles as a processor, ensure that your business’s processor role with respect to that data is clear.
9. Review your privacy notice regularly.
You should review (and update as needed) your privacy notice annually or with any change in business practices. Some laws, such as the California Privacy Rights Act (which requires annual privacy notice review), require periodic privacy notice review.
10. When in doubt, consult with counsel.
If you have questions about how to prepare a privacy notice that is appropriate for your business, consult with privacy counsel. The Morse Privacy Team is happy to help!
The author would like to acknowledge the contributions to this piece by, and give thanks to, former Morse Law/Policy Intern, Fiona Fisher Sleigh, Dartmouth College (2023).