By Barbara Clayton[i]
Why Should Your Client Care About a Meaningful Notice?
Robert M. Waitman, Director of Privacy Insights and Innovation at Cisco Systems (Waitman), examined both the actions and attitudes of consumers with respect to their data privacy and found a new segment of “privacy active” consumers who are well-informed on privacy practices. Eighty-three percent of these privacy active consumers read the notice and these consumers have taken action to switch from companies over data practices. Privacy active consumers are more likely to be affluent and shop online, and do not buy products from companies they believe are not transparent about consumer data use.
Additionally, if a company suffers a data breach or is impacted by spillover public sentiment from a competitor’s data breach, their notice’s lack of transparency can put them at risk of reputational damage and associated loss of market value. A joint research publication by University of Washington and Colorado State University found firms that lacked transparent privacy policies suffered a 1.5 times larger drop in stock price after a breach event (their own or a competitor’s) than those with high transparency in their notices.
Leading Practices to Provide a Meaningful Privacy Notice
Almost two decades ago, the California Online Privacy Protection Act of 2003 (CalOPPA) became the first law to require website operators to post a privacy notice requiring a certain description of applicable privacy practices. Since then, additional laws such as California Consumer Privacy Act of 2018 (CCPA) and California Privacy Rights Act (CPRA) which amended the CCPA, also require a privacy notice be presented in a way that is easy to read and understandable to consumers by avoiding jargon and using a readable format. The Federal Trade Commission (FTC) also compels companies to be transparent in their privacy practices and adhere to what they have disclosed in their notice using Section 5(a) of the Federal Trade Commission Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce.” Companies can adopt a set of practices to create a meaningful privacy notice aligned to these requirements.
Companies intending to develop a meaningful notice should take time to plan their approach to ensure the notice is readable while accurately conveying their privacy policies. Some useful points to consider include:
- Adopt a practice to review and update their notice at regular intervals and when a change impacts their privacy policies, as needed. At a minimum, notice reviews should take place annually. Even if the notice does not need to be updated, a record that the review took place should be maintained.
- Establish a guideline of parameters to determine what should be reviewed to ensure the content is understandable and relevant. A good resource is Lindsey Krolik’s guide on how to meet plain language requirements in CCPA.
- Content is not enough; the notice should contain short and simple messaging. The goal is to create a notice that could be easily read and understood by the average person. Resources like Plain language.gov and The Center for Plain Language can help simplify messaging.
- Tools to auto-generate notices should still be reviewed by legal counsel because the notice creates a legal obligation.
- A privacy notice checklist can be extremely useful. For example, the checklist should ensure the privacy notice explains how to manage data upon a business exit or transfer, clarify that the notice does not apply to third-party websites or services, and detail the collection and use of user-generated content, such as product ratings. A checklist can help create a comprehensive privacy notice strategy.
Privacy Practices As Part Of The Overall Branding Strategy
Waitman’s research on privacy active consumers found a growing number of customers believe that the way their data is treated reflects how they are treated as customers. Companies can send a message to their customers that privacy practices are a basic part of their operations by integrating their brand messaging in the notice in the following ways:
- The privacy notice introductory paragraph should include the company mission statement and how data use supports that mission.
- The language style of the notice should be crafted to resonate with the company’s values so that they identify this notice as consistent with overall brand messaging. Icons used on the site can also be used in the notice—both to enhance readability and to tie the brand to its statements on respecting consumer’s privacy.
- Seek customer feedback on the privacy notice and follow up as needed to improve the transparency. Encouraging communication enhances understanding of customer perspective and provides a method to address issues, both practices which enhance brand loyalty.
Facilitate Information Disclosure
- Privacy Policies should explain information collection and use in the context of how the consumer navigates the site or product. Customers can more easily find relevant information if its presentation follows the path a user takes when using the site.
- Include methods to provide answers to common questions by leveraging documentation tools that clearly format data, such as bulleted lists and hyperlinks. The California Attorney General recommends the use of graphics in the privacy notice to help with readability.
- Be specific about how the information is collected. Examples can help customers better understand the data collection process.
- The policy should also clearly instruct customers on how they can control and make decisions about the use and sharing of their data.
Beyond the Notice
Companies can employ the following strategies to enhance their privacy practices as well as their notice:
- Companies should understand the interplay of their customer’s vulnerability, the transparency of the privacy notice, and the control the consumer has over their data. Consumers feel vulnerable when disclosing personal information. Those feelings of vulnerability quickly target companies, resulting in brand harm and financial loss, even when a data breach event was caused by the bad acts of a third party. Companies can mitigate this risk by providing transparency in the notice and allowing users a high level of control over how their data is used.
- A good practice is to create and maintain data maps or registers that show the types of data collected and how that data is used. This helps ensure that privacy notices accurately reflect internal data practices.
- In designing privacy practices, be aware of privacy standards including the FTC’s Privacy Framework which emphasized transparency, choice and privacy by design and is based on the Fair Information Principles as well as the NIST Privacy Framework which uses risk management to improve privacy protections.
- Companies can optimize their approach to protecting consumers’ privacy against opportunities to monetize data collected by aligning to the common standards in their industry. Analysis shows that firms with a “follow the crowd” strategy for privacy policies are evaluated more positively by financial markets
As the pandemic has forced many businesses to shift activities online, it makes sense for companies to meet with legal counsel to discuss privacy practices as well as evaluate whether their practices and brand values are accurately reflected in the privacy notice. This review will not only ensure compliance with regulatory standards, it will also create a meaningful privacy notice that builds stronger customer relationships.
[i] Barbara Clayton is a J.D. and Privacy Law Certificate Candidate at Santa Clara University School of Law.