Most organizations have posted privacy notices on their websites. Great, right? Well consider that a 2012 study showed that the average reader would need 25 days simply to read the privacy policies for all websites accessed in a year. Website privacy notices are often very poorly written. And that's not the only problem, as I've discovered over the past couple of decades reviewing privacy notices. In the past year in the privacy impact assessments (PIAs) I've done, I've found two consistent problems with them all.
- The posted privacy notice for each had not been updated in many years
- No one (literally) within each organization had ever read the privacy notice
I've also found that, generally, most organizations do not understand the purpose of a privacy notice, and are very sloppy in how they post and maintain privacy notices on their websites, creating significant liability for their organization. Many post a privacy notice once, then never update it again, and others post something to point to for marketing spin to give the impression they care about privacy, but in fact haven't done anything that they've promised.
Here are some privacy notice basics to help organizations better understand how to avoid common privacy notices mistakes.
Purpose of privacy notices
A posted privacy notice, also often called a "privacy policy" (but I'm going to use the term privacy notice since I typically use policy to reference inward-facing documents for employees to follow) is an outward-facing type of document that is meant specifically for those individuals whose personal information is being collected; the "data subjects."
A posted privacy notice is provided to an organization's data subject audience and should identify:
- The types of personal information items that are collected
- How the personal information is used, retained, disclosed and secured
- The control that the data subjects have over their associated personal information (e.g., specific personal information items that are voluntary to provide, available opt-out options, individual rights of access and correction for associated personal information)
Privacy notices serve two primary purposes:
- Establish accountability for the organization's use, sharing and protection of personal information
- Educate the individuals about whom personal information applies (the data subjects) for their rights regarding their personal information
Importance of privacy notices
A privacy notice establishes legal accountability for the associated organization to follow the practices that are stated, actually promised, in the privacy notice. Every person within the organization that accesses personal information in some way needs to know, understand and follow the promises made within the privacy notice.
The organization must ensure that every type of computing and digital storage device is configured and used in ways that also support compliance with the privacy notice. This includes all those increasingly used Internet of Things (IoT) devices that are used in ways that involve access to personal information from the organization.
Regulators, auditors, lawyers, and other organizations will judge your privacy program against your organization's practices, and how your managers support them, as they relate to the privacy notice. Here are a few areas where organizations are often violating their own posted privacy notice:
- Lack of accurate details in the privacy notice about the personal information and sensitive information that is being collected, shared, retained and processed
- Lack of information about the purpose(s) for collecting personal information
- A description of the entities to whom, and to which jurisdiction and geographical locations, the personal information might be disclosed or transferred
- How to contact the area responsible for privacy at the organization
- Ensuring that the privacy notice is provided either before or at the time of collection of personal information
Using non-customized privacy notices
Privacy notices must be tailored to the specific data subject audiences. Two common mistakes I've seen organizations, especially those small and mid-size organizations with no position dedicated to privacy and no legal counsel with privacy experience, make is:
- To copy the privacy notice of another organization in their industry and use it verbatim as their own, after simply changing the name of the organization.
- Generating a privacy notice from a free online privacy notice generator and then immediately posting the resulting privacy notice on their website without doing any customization.
It is important to customize privacy notices so that they accurately reflect the organization's collection, use, sharing and safeguards for personal information. The privacy notice is establishing a legal obligation for the organization, so the organization must fulfill those promises. If the organization cannot do what is within their posted privacy notice, then they have created their own legal liability, which could result in significant fines, penalties and civil actions.
Out of date privacy notices
Throughout my career I've seen a large portion of organizations that will take action to implement security and privacy practices and then, once done, they forget about it. For example, in my PIAs and audits I've often found organizations who had information security policies that have not been updated in over a decade. I've found this to be true with posted privacy notices as well.
In three PIAs I performed in 2015, I found one had a privacy notice last updated in 2008, one in 2006, and another in 2004. There were references in them to technologies that are not even supported or used anymore, to departments that no longer exist, and phone numbers no longer used; along with other no-longer-valid statements.
Think about how quickly your business changes; in the:
- Types of personal information collected
- Ways in which personal information is used and shared
- Technologies used by all with access to personal information in all forms
When such changes occur, they often will necessitate changes in the posted privacy notice to accurately reflect activities involving personal information. It is important to keep the privacy notice updated and provide an accurate reflection of current practices.
Personnel not knowing what the privacy notice says
One of the questions I always ask key stakeholders when doing a PIA is, "Have you ever read your web site's posted privacy notice?" In 95-99 percent of the time, no one has even read the posted privacy notice. Ever. These are people who are responsible for personnel, including those who access personal information in some way.
If you have not read the privacy notice, how can you even claim to be supporting the promises made within it for how personal information is collected, used, shared, and safeguarded? You cannot.
To be able to comply with your own privacy notice, you must actually read, understand, and do business in accordance with the privacy notice promises. Your work activities must support the promises.
Maintain the privacy notice
When it comes to privacy notices, be sure to update them appropriately. Some actions you can take to accomplish this:
- Perform a privacy impact assessment (PIA) for your posted privacy notice to see where you are not in compliance with it, and to determine where changes and updates to the privacy notice are necessary.
- Assign a position or team the responsibility to review the privacy notice at least once a year, and following major operations and technology changes, and to update the privacy notice appropriately.
- Ask legal counsel to monitor changes in data protection legal requirements, and notify the assigned team of such changes so they can be considered when determining how to update the privacy notice.
Learn more:
* This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. For more on these topics, visit Dell's thought leadership site dell.com/futureready. Dell sponsored this article, but the opinions are my own and don't necessarily represent Dell's positions or strategies.
From The Privacy Professor
