4 Things to Consider When Authoring Your Data Privacy Policy

I’ve always thought of email disclaimers as just an electronic version of the “do not remove under penalty of law” tags on a mattress – has anyone ever actually gone to jail for that?

If they don’t matter, are almost never read, and likely are not enforceable, then why does almost every business email you receive have a standard corporate disclaimer on it?   The biggest reason companies cite is to protect confidentiality.  Good luck winning that battle in court!  Protecting confidentiality is not done with email boilerplate, it’s typically done by contracts or non-disclosure agreements.

Years ago, I read a funny blog by attorney James Sinclair on McSweeney’s, a humor site.  Sinclair had been reluctant to add an email disclaimer, not believing that people read them and realizing that they were unenforceable anyway, so he took the opportunity to be funny  with his.  His blog, titled “ALRIGHT, FINE, I’LL ADD A DISCLAIMER TO MY EMAILS,” actually inspired mine (if you want to see mine, email me at j@ethix360.com).

While compliance professionals are allowed to rip off mattress tags and ignore email disclaimers, we actually have to author and enforce data privacy notices.  Almost every application and website under the sun uses the words "I accept the privacy policy" somewhere.   

Even with that checkbox, the added complexity of GDPR, CCPA, and other similar laws might trump your policy anyway.  The big difference is that those regulations are to protect the user and the privacy policy on your app or site is to protect the company. 

Here are 4 things you should consider with your privacy policy in light of emerging laws and regulations:

Auditability.  

The GDPR says that any business relying on consent must “be able to demonstrate that the data subject has consented to processing of his or her data” and that it must be auditable.  This requires the company to preserve a record of their consent, often requiring re-engineering of the back-end systems.  It gets even more complicated because as the privacy policy changes, the company has an obligation to record what version of the policy the user or visitor agreed to!

What goes up, must come down. 

GDPR gives individuals the right to withdraw their consent and it must be just as easy to withdraw it as it is to give it.  The checkbox to rescind consent needs to be as prominent and obvious as the checkbox to give consent.  if you give consent initially, offer data, and that data is used in accordance with the policy the individual consented to, does the company also have an obligation to reverse any prior use of the data rescinded?  Like audibility, this means a lot of back-end work on the system because now when you rescind the system must remember who you are.

Data Portability. 

Many of the newer laws require the company to be able to return all data to the user who submitted it in a commonly used machine-readable format.  In some cases, this is even being interpreted as the company’s responsibility to port the data to third party. 

No more mattress tags. 

One last consideration is that most of the new directives require “unambiguous” language, and that consent is not presumed to be freely given.  In short, if your app or website requires user consent to your privacy policy to work, that alone might make your privacy policy invalid and even open the company up to substantial enforcement penalties.

I’ve got to be honest, and for my friends in compliance I think you would agree.  My current headache started on May 25, 2018, with the start of GDPR, and got worse on January 1, 2020, with the start of the CCPA.  So please pass the aspirin, its not going away anytime soon.

The ETHIX360 blog brings you weekly updates on all things human resources and compliance.

MEET THE AUTHOR

J Rollins is the co-founder and CEO of ETHIX360. J is a well known leader and innovator who has served on senior leadership teams ranging in responsibility from Chief Revenue Officer, Chief Marketing Officer, SVP of Product Strategy and Chief Operating Officer.

ABOUT ETHIX360

RELATED BLOGS