By: Bethany Mowery

A well-crafted privacy notice is essential to protect an organization and ensure it complies with various legal obligations.

WHAT IS A PRIVACY NOTICE?

A privacy notice, frequently called a privacy policy, is an external-facing statement that describes how an organization gathers, uses, stores, and shares consumer personal information or data.  Most companies publish their privacy notice on their website or mobile application.

WHAT TO INCLUDE IN A PRIVACY NOTICE?

Privacy notices can cover a variety of topics depending on the organization’s business practices and industry standards.

Some of the most common and important areas to include in a privacy notice include:

• What personal information is collected, what method of data collection will be used, how the data is stored and protected, and how the data will be used or shared.
• Consumer’s rights to review the data and make corrections.
• Consumer’s rights or choices regarding the collection, use, and sharing of their data, including how to opt-in or opt-out of these practices.
• Use of cookies.
• Contact information for the organization.
• The effective date of the notice, when it was last updated, and how updates to the notice will be communicated to consumers.

DISCLOSURE OF PERSONAL DATA COLLECTION AND USE

A company should always identify the types of personally identifiable information (PII) that it collects from consumers and list these categories in its privacy notice. The definition of what constitutes PII varies but typically includes any information that can be used to distinguish or trace an individual’s identity.

Information that is commonly considered PII includes an individual’s:

• Name.
• Social security number.
• Date and place of birth.
• Address.
• Phone number.
• E-mail address.
• Credit card and bank account information.

In addition to disclosing the types of PII collected, a company should also disclose in its privacy notice how personal data is collected, stored, protected, used, and shared by the organization or any third parties.

LEGAL AND REGULATORY REQUIREMENTS

The United States does not have a broad data privacy law governing all organizations. Therefore, a company must understand any industry-specific federal regulations that apply to its business and the privacy requirements of such laws. A company should also consider the data privacy laws of the states in which it transacts business and where its consumers reside when crafting its privacy notice as well as any relevant international privacy laws, such as the European Union’s General Data Protection Regulation.

WHERE TO POST YOUR PRIVACY NOTICE

A company’s privacy notice should be posted in a prominent location, typically on the homepage of the company’s website. A link to the complete privacy notice may be posted, but the link should be clear, conspicuous, and include the word “privacy.”

IMPORTANCE OF COMPLYING WITH YOUR PRIVACY NOTICE

In the United States, the Federal Trade Commission (FTC) has the authority to bring enforcement actions against companies that misrepresent or mislead consumers in their privacy notice. Inadequate disclosure of data collection and sharing practices by a company in its privacy notice is considered a deceptive trade practice by the FTC. Companies should therefore treat their privacy notices as a binding agreement like they would any other contract.

KEEPING YOUR PRIVACY NOTICE CURRENT

A privacy notice should be drafted with a forward-thinking view to limit the need for frequent revisions. However, it is important for a company to regularly review its privacy notice and make necessary updates based on any changes to its internal privacy policies. Further, state privacy laws frequently change and may in turn require a company to revise its privacy notice. It is also good practice for a company to provide a method for notifying consumers of any changes it makes to its privacy notice.

For assistance drafting your privacy notice or other corporate compliance related issues, contact your trusted Chugh, LLP attorney.