When you think about Privacy Policies, you probably dread the thought of reading through endless amounts of “legalese” that the average human being tries to avoid at all costs.
Oftentimes, these policies are hidden under layers and layers of content on websites. And for many, this is for good reason: businesses are not inclined to incorporate 100-page policies on websites meant to convey an enticing brand for current and potential customers.
But over the past few years, there have been fundamental shifts in the way that websites are creating and implementing Privacy Policies.
In the news, it was widely reported that Cambridge Analytica engaged in the misappropriation of the personal data of millions of Facebook users.
This resulted in an outcry from consumers calling for their sensitive information be protected and used for appropriate purposes. And regulators responded.
In 2018, the European Union began enforcing the General Data Protection Regulation (“GDPR”), known as the most comprehensive piece of privacy legislation in the world.
The law provides a variety of privacy rights to consumers, including the right to request the deletion of collected personal information and the right to request the correction of collected personal information.
Furthermore, businesses are required to make specific disclosures pertaining to the processing and use of personal information within their online Privacy Policies.
Similar to Europe, the United States has seen an uptick in the passing of comprehensive privacy laws at the state level.
The California Consumer Privacy Act (“CCPA”) is a prime example of this. The law requires certain businesses to ensure their Privacy Policies disclose the categories of personally identifiable information (“PII”) that the business has collected and sold.
The CCPA, similar to the GDPR, also provides consumers with the ability to request the deletion of their collected PII.
Given the recent changes in the privacy law landscape, businesses will need to respond accordingly.
Laws like the GDPR and CCPA are not going away. Because of this reality, Privacy Policies will have to act as “living documents” that update as laws change.
This article will discuss the following three topics:
- The California Consumer Privacy Act; and
The ultimate goal is to establish a relationship of trust between the consumer and the business.
In general, Privacy Policies should contain the following components:
- A description of the business’s information sharing practices. This includes a description of what PII the business collects and discloses to other entities;
- A description of how the business uses the collected PII; and
- A description of how consumers may exercise their privacy rights under applicable law.
This is important because consumers, now more than ever, are taking a business’s information sharing practices into account when deciding whether to make purchases and subscribe to services online.
The California Consumer Privacy Act
Set to be enforced on July 1st, 2020, the CCPA provides Californians with a variety of privacy rights. These rights allow consumers to request the deletion of their PII, request a variety of disclosures relating to what PII has been collected and who has accessed it, and “opt-out” of the sale of the PII to third parties.
“Businesses” as defined by the CCPA must comply with the requirements of the law. A “business” must meet all of the following criteria:
- Sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners;
- That collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information; and
- Does business in the State of California
Provided that an entity qualifies as a “business” and falls under one of the following three categories, it must comply with the CCPA, irrespective of whether the business is actually located in California:
- Have an annual gross revenue in excess of twenty-five million dollars ($25,000,000);
- Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or
- Derives 50% or more of its annual revenues from selling consumers’ personal information.
To say that the CCPA has caused stress amongst businesses is an understatement. The law has fundamentally changed the privacy law landscape.
- A description of the consumer’s rights under the CCPA. These rights include the following:
- The right to know what PII has been collected by the business;
- The right to know if PII has been sold and who has purchased the PII;
- The right to “opt-out” of the sale of the PII to third parties;
- The right to access the PII that has been collected; and
- The right to equal services and prices, despite the consumer exercising a CCPA right
- A list of categories of PII that the business has collected in the last 12 months, by reference to two lists:
- A list of categories of PII that the business has sold in the past 12 months; and
- A list of categories of PII that the business has disclosed in the past 12 months
size of your business, who is involved in the handling of the information, and the information you collect.
- Hire outside counsel who specializes in privacy law and is experienced in writing Privacy Policies;
- Research different templates of Privacy Policies online; or
To that end, key stakeholders involved in the lifecycle of the data will need to be interviewed and included in the process.
These stakeholders include the Human Resources department in charge of employee data, the information technology team, the legal department, and key leaders within the business.
As part of the data lifecycle research, it is important to ensure that your data collection methods are examined. Most often you are utilizing some sort of form to collect information and the form structure and plugin itself should be evaluated. We recommend weForms as the best contact form plugin to build forms on your WordPress site and offers a special discount available on Termageddon by using the code WEFORMS at checkout.