As a privacy and cybersecurity lawyer, I'm often asked by clients and potential clients about preparing a privacy policy – whether they need one, and how much it costs. And underlying the question is an assumption – privacy policies are really just formalities, and all they need to do is find the right form, or a competitor's model, make sure to change the name and contact information, and they're done.

They are right about one thing – any company that collects any kind of personal information needs a privacy policy. Laws throughout the world – not just in the United States, but in the European Union, Canada, Australia and elsewhere – have laws that require a privacy policy, some in great detail, others more generally. The California Online Privacy Protection Act, which went into effect in 2004, began this trend, and the advent of the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) in California increased the details for privacy policies of companies under their jurisdiction, by requiring greater detail on the types of data collected, the uses of the data, and how consumers can limit the use of personal data.

There are also third parties that require privacy disclosures, including Google Analytics, a ubiquitous feature of commercial websites.

But they are wrong about what it takes to create a privacy policy. Using another company's policy might be a starting place, but it takes much more. Assuming that all privacy policies are alike is a dangerous practice – if a company does not take the steps to ensure that the policy is accurate and complete, it increases, rather than limits, its liability. Companies must analyze their data collection practices and make sure that reality is reflected in the policy.

What is Included in a Privacy Policy?

While there are a wide variety of policies, they generally include some key elements:

  • Information about the business, including contact details;
  • The types of personal data that is collected;
  • How the data is used;
  • Whether and how it is shared with third parties; and
  • What does the company do to protect personal information?

In addition, companies that are governed by the CCPA (generally, any for profit business that collects information from California residents and has $25 million or more in revenues, or whose business is primarily the collection or sale of personal information) must include a description of consumer rights under the CCPA and how a consumer can exercise those rights. These rights include:

  • The right to notice of collection;
  • The right to access the information collected;
  • The right to opt out (or right to opt in) to the sale of personal information;
  • The right to request deletion of personal information; and the
  • The right to equal services and prices when the consumer exercises those rights.

What Goes into Creating a Privacy Policy

The requirements for an effective privacy policy make it clear that there is no one-size fits all form, and simply doing what someone else does won't fulfill a company's legal obligations. Each company has different practices about the information it collects, who has access to the information, and how they use it. And for companies that are required to comply with the CCPA, failure to have an accurate and complete privacy policy – and to update it every year – can result in significant liability to the California Attorney General, who has made it clear that the State of California will enforce the CCPA, regardless of the current pandemic or other factors.

In order to create an effective and meaningful privacy policy, a company must conduct a data map (sometimes called a data inventory) to identify each category of personal information it collects or obtains from any party; where the data is held; who has access to the data; and what the company does with that data.

The next step is to understand exactly what security processes and procedures the company uses to protect personal information, and to consider what steps need to be taken to achieve reasonable security (although the concept of reasonable security is the subject of another discussion).

When a company goes through this process, it can create an accurate privacy policy that complies with applicable laws.

Other Benefits

There are some major benefits to starting the process of the privacy policy with a data map, not the least of which is protection against regulatory action or private claims. The federal government and every state has laws prohibiting unfair and deceptive trade practices; the FTC has been active in pursuing remedies against companies whose privacy policies are not consistent with their actual practices, either by not identifying the information they collect, or misstating how they protect personal information in their protection. Similarly, private litigants use these laws to pursue claims against companies.

There is another benefit that is often overlooked – companies that are cognizant of their privacy and security practices will understand how they can be improved, both in quality and efficiency. As information security and privacy gains greater importance – particularly as companies will be required to obtain more sensitive personal information to, among other things, cope with the current pandemic – companies that are forward thinking in privacy and security are more likely not just to survive, but to thrive.

Originally published 3 June, 2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.