Writing a Privacy Policy You’ll Actually Want To Read

Creating a privacy policy is necessary for any business collecting or processing personal information and is essentially a legal agreement between you and people visiting your website. And more often than not privacy policies are thought of as just that: a legal buffer. But with more users mistrusting the services they use, these policies should instead be seen as an opportunity to build trust with customers, establish a level of transparency, and show that your respect their privacy.  

Here is a short primer on what should be included in a privacy policy, and how to write it in a way that is accessible to users.  

The What

What information you collect 

It’s important to be upfront about all type of information you may collect about your users. This not only includes personal information (name, email, phone number, etc.), but also things like usage and analytics data, as well as the first- and third-party cookies.  

How you collect information 

Listing the methods used to collect data is another important aspect of a privacy policy. Is it information that they are freely providing? Is it automatically collected through your browser? Is it collecting through a script or plug-ins on your website? Providing this information will help users make informed decisions on how to navigate your site in a way that fits their privacy needs.  

How you use information 

It’s essential that you inform users not only of what you’re collecting, but how youre using that information. In many cases, it can help explain why it’s important that you collecting this information in the first place. Examples include customer service, payment processing, and improving site experience. On top of these, you’ll also need to state if you’re using data for marketing and joint marketing purposes. 

What information you share and why 

You’ll also want to state any information that you share with others. This might be for something like third-party advertising but can also include other companies related by common ownership, non-affiliates that market to you, or even non-profits using the data for research studies. Today, users are concerned about understanding who has access to their data, so this information is especially important.   

How that information is secured  

This is something you’ll definitely want your users to know about. Listing what security systems and practices you have in place will go a long way to show users that you care about their privacy and are taking the necessary steps to ensure it’s secure. 

What privacy options do users have 

It’s become more common for websites to give users some choice with regards to their privacy. This includes whether they can access the data that has been collected, the ability to change what information they want to share, whether they can delete data previous collected, as well as the ability to decide how long you hold on to their information. If you allow users these options, you want to explicitly state that they have those abilities.  

Who users can contact about privacy concerns 

Another component to your privacy policy should be a contact person that users can contact when they have questions or concerns regarding the policy or any other privacy-related issues. It’s important that users have someone they can reach out to when they have concerns.  

Regulation Compliance 

Lastly, depending on where you operate and even where your servers are located, you may be subject to certain privacy regulations that require you to both include certain components in your policy as well as explicitly state your compliance with these regulations. Two big regulations that could effect your privacy policy is the California Consumer Privacy Act (CCPA) (effective in 2020) and the EU’s General Data Protection Regulation (GDPR). Another important regulation is the Children’s Online Privacy Protection Act (COPPA) which requires certain privacy controls and parental consent before collecting data on children under 13. 

The How

Above all, when it comes to writing your privacy policy, it should be readable. 

Your users shouldn’t need a law degree to understand what’s in the policy. Write in plain English. Keep it as short as possible. While there is a lot of information to include, you should stay as concise as possible. If need be, you can layer the policy, meaning have basic language that provides a general overview and link else for details about different sections. Lastly, you want to ensure that the policy itself is easily accessible to users. It shouldn’t be tucked away in tiny font. Place it somewhere prominent that users to find whenever they’d like to refer back to it. 

This is especially important if you need to comply with the GDPR. Not only does the regulation require you to include certain information in your privacy policy, but also includes requirements to ensure your policy is sufficiently clear. The GDPR’s website provides some guidance on privacy policy best practices that you can find here 

Even if you’re not subject to the GDPR, it’s probably a good idea to try and follow their guidelines as well. Again, your privacy policy isn’t just a legal safeguard. It should be understood as a way to communicate to your users about their privacy and ensure them you’re being transparent about your data collection.  

How The Cookie Crumbles

How The Cookie Crumbles

Cookies have been and continue to be an essential part of how we use the internet. In essence, cookies are small files created by websites you visit that are saved on your computer. The files contain information on what websites you visit and how you interacted with those sites.  

This might make any privacy-minded person pause. Why should we allow websites to create records of what we do online? Well, the answer isn’t so straight forward. Not all cookies are created equal. Some forms of cookies are essential to what we’ve come to expect from our online experience. Others are a little more suspect.  

First-Party Cookies

In general, first-party cookies are there to make our online experience easier and more convenient. They’re used by individual websites, and store information so you don’t have to re-identity yourself every single time you use a site. They allow you to stay logged into websites as you navigate between pages and visits to those sites. They save your location so you can quickly check the weather in your area or buy movies tickets without having to re-enter your information every time you use those sites. 

In short, we rely on first-party cookies every time we visit a website. Their essential to how we use the internet and don’t necessarily present a risk to your privacy online. 

Third-Party Cookies

Third-Party Cookies, on the other hand, are a different story. Unlike first-party cookies, these cookies track your movements between websites. These types of cookies are not created by the website your visiting, but by a third-party whose code is on that site. This could come from plug-ins, or, as is more often the case, from advertising platforms. These cookies can then keep track of your movement between any website that features these third-party codes.  

Because they are not limited to your interaction with one specific website, they can be used to construct a much larger and more detailed profile of not only your online presence, but personal characteristics, spending habits, and lifestyles.  

Taking Control of Your Cookies

Because cookies are such an important part of how we interact with websites, blocking all cookies is unnecessary and will make using sites far more inconvenient. However, depending on your level of comfort there are steps you can take to have more control of what cookies websites are using. 

  • One option is to change your browser’s privacy settings to ask permission before accepting cookies for all websites. You can choose which websites save cookies depending on your level of trust and how frequently you use those sites. 
  • Most browsers also give you the option to only block third-party cookies. This will still allow individual websites to save information about how you use their sites but will stop entities from tracking your movement across the web. There are also several ad-blocking extensions you can use that will remove advertising codes from websites when you visit them, effectively blocking those third-parties from saving cookies on your computer. 

Cookie Disclosure Requirements

By now, you’ve probably seen many websites display banners either stating that they are using cookies or asking consent for their use. This is due to several laws coming out of EU that now require websites to obtain consent to use cookies. The ePrivacy Directive was implemented in 2002 and was the first of such laws to require notification of a website’s use of cookies.  

However, the newly enacted GDPR has further enhanced these requirements. Now, websites are required to not simple notify users that cookies are being used, but most give information on how those cookies will be used and gain consent from users for each of those purposes.  

While the U.S. currently does not have such laws in place, if your organization has servers in an EU nation, you may still be subject to GDPR restrictions. In any case, it is likely such regulations will be also enacted in the U.S. soon, so many organizations are choosing to display such banners preemptively.  

Taking Aim at the CCPA

From the land of Silicon Valley comes privacy regulations that may have a tremendous impact on how tech companies use and share your data. 

Modelled largely off the EU’s GDPR, the California Consumer Privacy Act (CCPA) is the largest and most comprehensive online privacy regulation passed in the United States to date. The regulation provides California residents extensive rights over what personal information companies collect, how the information is used, and even gives consumers the right to opt-out of data collection all together.  

The bill was passed into law in September 2018 and goes into effect this coming January. With the door fast closing, the race is on to add amendments and further clarifications to the new law. Last Tuesday, California Senate’s Judiciary Committee voted on a series of new amendments that could limit the scope of the CCPA.  

Here is a brief primer on the three most contested amendments and their fate in last Tuesday’s hearing.  

AB-1416  

This amendment proposes that business should be able to sell personal information even if consumer has opt-ed out if the sale is “for the sole purpose of detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity.” The amendment worried many privacy experts, who considered it to open major loopholes in the regulation. Specifically, according to one commentator, the bill would “would chip away at the rights of Californians by allowing law enforcement to get around existing warrant requirements to access personal information.”  

The bill was withdrawn by the author, Assemblyman Ken Cooley, at the last minute and so no vote was taken. However, according to some reports, it’s possible to bill will reappear for a vote next year, after the law has gone into effect. 

AB-873 

This amendment would exclude any de-identified data from the scope of the regulation. The real issue, however, is that bill lowers the threshold of what information is understood as de-identified. According to the amendment, data such as I.P. addresses and browser fingerprints would now be considered as de-identified information. However, according the senior counsel for policy and privacy at Common Sense Media, Ariel Fox Johnson, that information could potentially be used to re-identity data to specific users. “Deidentification is not a privacy protective technique if deidentified information can identify you.” 

The vote on the amendment was split 3-3, so the bill did not pass. Howeverthe bill’s author was granted reconsideration, so it is possible another vote on the amendment will be taken before the end of the summer. 

AB-25 

Another proposed amendment takes aim at restrictions on employers. As Bloomberg Law reports, the bill would exempt personal information employers have about their employees from the privacy law’s requirement that it be disclosed or deleted upon request.” 

The bill passed with 8-0 votes in favor, but with added changes that still require employers to inform employees about the types of information they are collecting about them and why. 

Next Steps 

The California legislature has until September 13, 2019 to pass bills amending the CCPA. Any bills up for reconsideration must still pass a vote in the Senate’s Judiciary Committee. All approved bills will then move to the Committee on Appropriations for a vote in August, to be followed by a vote of the full Senate. 

While it is likely some of these changes will go into effect, the results of the Judiciary Committee’s hearing make clear that the main purpose of the CCPA will remain intact. As a result, businesses should be taking this bill seriously and begin looking into what processes will need to be implemented in order to comply with these new regulations.  

 

Privacy Sells

There is no doubt that technology and digital tools have helped business grow. From more effective lead generation to highly-targeted marketing campaigns, there is a lot that organization can gain from using such tools.  And, there is a lot that consumers gain in terms of ease, cost and convenience.

Follow the adage that “there is no free lunch”, consumers do pay a number of costs related to the access to their data — the costs related to their ability to learn, costs related to their ability to expand beyond their narrow world past decisions, choices and interactions, costs related to their ability to feel and act independent and costs related to their privacy or their ability to choose how and with whom they share information about themselves.

Regulations such as the European GDPR and the California CCPA are upping the ante for businesses to install more privacy mechanisms in place.  And typically, when business hears regulation it hears disruption (in the bad way, not the sexy positive way disruption is used most times today).

But it doesn’t have to be that way.  Set aside the regulation and focus on your brand.  Focus on your relationship with your customer. Then ask yourself the following questions:

  1. Am I willing to be transparent of what I do with my customer’s data?
  2. Am I willing to tell my customers to whom their data may be shared (and hold those parties to the standards I am committing ourselves to with regards to the customer’s data)?
  3. Am I willing to ask my customers if it is ok to use their data for specific purposes?
  4. Am I willing to assist my customers if they wish to change or delete their data from our systems?
  5. Am I focused on only asking for or tracking data that I absolutely need in order to delight them and enhance our combined experience?
  6. Am I prepared to put in necessary safeguards to protect their data while it is on our systems?

If you can say ‘yes’ to each of these questions, not only will you have an opportunity to comply with privacy regulations, but you put yourself in the position of respecting your customer and enhancing your brand.

Perhaps privacy does sell.

 

 

The GDPR’s Got Teeth

This week, the UK’s Information Commissioner’s Office (ICO) proposed two massive fines against companies found in violation of the EU’s newly enacted General Data Protection Regulation (GDPR).  

The first came on Monday when the ICO announced the proposed £183.39m fine against British Airways for a data breach in September 2018. The breach began in June 2018 after users attempting to access British Airways’ website were diverted to a fraudulent site. The attackers used this site to harvest customer information, resulting in the personal data of approximately 500,000 customers being stolen. 

British Airways first notified the ICO of the cyber-attack in September 2018. According to the ICO’s statement, their investigation found that customer information was comprised due to “poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.”  

Then on Tuesday the ICO put out another statement, this time proposing a £99.2m fine against Marriott International for a data breach that was discovered in November 2018. The breach was the result of a compromise in the Starwood Hotels’ systems dating back to 2014. Marriott acquired Starwood in 2016 but did not discover the vulnerability until 2018. It is believed that roughly 339 million guest records were exposed between the initial breach and the time it was discovered.  

With regards to the Marriott investigationICO Information Commissioner Elizabeth Denham stated, “The GDPR makes it clear that organizations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.” 

The GDPR is the EU’s wide-ranging privacy regulations, requiring companies to “implement appropriate technical and organizational measures… in an effective way… in order to meet the requirements of [the] Regulation and protect the rights of data subjects.” In addition, the regulation establishes broad privacy rights for consumers, including widened conditions of consent for companies to process personal information, the right of users to obtain information on how their data is being used, and even provides users the right to request that companies delete their information.   

Under the GDPR, organizations can be fined up to €20 Million or 4% of annual global profits (whichever is greater).  

Both incidents make clear that the GDPR is taking matters of consumer’s privacy extremely seriously, and they’re sending a message that companies need to as well. From the perspective of the GDPR, business are not passive victims of cyber-attacks, but directly responsible for securing consumers’ information. 

Every organization should take this news to heart, no matter where they do business. Lawmakers in the U.S. are beginning to pass regulations such as the California Consumer Privacy Act that are modelled after the GDPR. Fines such as those proposed against British Airways and Marriott could be devastating to a company. So, it’s essential that all business take steps to ensure they are doing the upmost to protect their data. Now.  

 

Cyber Security Regulations for Small and Medium Size Businesses

As cybersecurity concerns increase, so have government regulations. The problem, however, is that these regulations are not all enforced on the federal level, and sometimes pertain only to specific types of businesses. It is important for  businesses to understand the regulations for their industry and/or geographic location and take steps to put the right cybersecurity program in place in order to comply. To help with that process, here is a short guide to four of the most important cybersecurity and privacy regulations in the U.S. today.

  • HIPPA –  The Health Insurance Portability and Accountability Act of 1996 (HIPPA) is one of the oldest and well-known federal privacy regulations in the U.S. These regulations requires that all companies within the healthcare and health insurance industry implement administrative, physical, and technical safeguards to ensure the protection of all electronic health information. This includes periodic risk assessment reports, workforce training and management, and access and audit controls. More information on HIPPA and how to ensure compliance can be found here

 

  • NYSDFS Cybersecurity Regulations – In 2017 The New York State Department for Financial Services put in place regulations for all financial institutions requiring a license to operate in New York. These regulations require that a comprehensive cybersecurity program be put in place including the designation of a Chief Information Security Officer, the implementation of cybersecurity policies based on  a comprehensive risk assessment, and periodic penetration and vulnerability tests. The regulations require businesses to provide cybersecurity training for employees, limit the amount of time data is retained, encrypt all nonpublic information, audit their third party vendors, develop an incident response plan, as well as notify the NYSDFA of any breach of nonpublic information. 

 

  • Securities and Exchange Commission: As of 2018, the SEC has put in place cybersecurity initiatives designed to protect retail investors from cyber-related attacks. These regulations effect all investment and public companies operating in the U.S. The role of these initiatives is primarily to provide resources for business to identify and assess cybersecurity risks, detect compromises to systems, plan for response to compromises, and steps to recover stolen data. However, SEC does require companies to report how data is being secured, and any cyber-related incidents such as data breaches. You can find the SEC’s resource page here. For even more information, the Financial Industry Regulatory Authority has additional resources and checklists for small business.

 

  • California Consumer Privacy Act (CCPA): The CCPA is one of the newest regulatory laws in the U.S. and provides consumers extensive control over how businesses collect and use personal information. The law applies to all for-profit entities doing business in California that collect personal consumer data. According to the CCPA, companies must provide consumers information on what data is being collected, and gives consumers the right to opt-out of the sharing or selling of personal information. Consumers additionally have the right to sue if a breach occurs when the company used careless or negligent means to protect data. The CCPA will go into effect in January 2020, and the full initiative can be found here

 

 

While not all of these regulations are will pertain to your business, it is likely that such initiatives will be standardized across industries and states in the near future. It is therefore essential that businesses begin to put some of these practices in place now. Here are some basic steps that can be taken today:

  1. Develop a cybersecurity policy. Two tools that can help come from the National Institute of Standards and Technology (NIST), which provides security and privacy controls for federal organizations, and the International Organization for Standardization (ISO), which specifies the requirements for establishing, implementing, maintaining and continually improving an Information Security Management System (ISMS) within the context of the organization.
  2. Work towards improving the security controls in the organization with special emphasis on access control, data encryption, security governance, incidence response, vulnerability management (eg: patching and scanning), and vendor management.
  3. Train everyone on their role in cybersecurity
  4. Have someone in the organization responsible for cybersecurity and make sure they are getting training.

Finally, while the emphasis in this post is compliance, recognize who you are really doing this for:  your customers, your employees, your investors and yourself.