Around the world, collective privacy awareness is gathering steam. As more personal information is shared online, governments are responding to a heightened demand for transparency by the companies who handle it - and consumers are becoming increasingly aware of their data protection rights.
Regulating the digital space has always been a challenge. Data regularly crosses international borders, and privacy frameworks in different countries do not always align directly with one another.
However, any business or organization handling customer information, however small, is subject to an obligation to inform individuals about how they use their personal information. A robust privacy policy (also sometimes referred to as a “privacy notice”, “fair processing information”, or “privacy information”) is likely to be a key part of meeting that transparency requirement.
In this article, we will explore the different laws governing privacy policies across the world, before taking an in-depth look at how to create a policy which keeps your organization compliant, transparent, and accountable.
Summary
Why is a privacy policy required?
There are a number of reasons why privacy policies are required, the three most important being:
Compliance
The main reason to have a strong privacy policy in place is simple - to stay on the right side of the law.
Whilst not every regime is equally prescriptive as to form and content, they all require that people are informed in some way about how their personal information is being used. A well drafted policy demonstrates compliance, and is likely to protect you against costly enforcement action.
Transparency
A privacy policy which is clear, open, and accessible sends a message to people that you take their data rights seriously. It is mandatory with regard to article 12 and following of the GDPR
By communicating honestly about what, how, and why you are using their information, you hand back control to the consumer. In the event of a dispute or complaint, a clearly written policy is also a valuable reference point which can be used to protect parties on both sides.
Reputation
Building trust with your consumers through a transparent privacy policy will have a knock-on effect when it comes to your wider reputation.
As data awareness grows, consumers are increasingly reluctant to engage with businesses if they do not have confidence that their information will be kept safe. A strong privacy message reassures the market that you are not blindly mining data for profit.
Privacy policy laws by country
The legal framework governing your organization’s privacy policy will depend on two things - the location of your business, and the location of your customers.
If either of these cross into more than one jurisdiction, you must ensure that your policy complies with the law in each. This can sometimes be accomplished by one policy - but if your operations cross multiple borders, it may be necessary to create individual policies under each regime.
For the purposes of this article, we will consider the main legal regimes across the world which require a privacy policy at the time of writing. These are:
The European Union
Under the General Data Protection Regulation (“GDPR”), any organization that processes the personal data of EU residents must comply with transparency and accountability rules.
This includes publishing a privacy policy, which is governed by Articles 12, 13 and 14 of the GDPR. A full list of the countries covered by the GDPR can be viewed here.
The United Kingdom
The UK General Data Protection Regulation (“UK GDPR”) is currently under review with pending reforms. Current requirements governing the need for privacy policies are found under Articles 13 and 14. Check out Didomi’s detailed guide to the UK regime here.
Canada
Under Canada’s federal privacy law, the Personal Information Protection and Electronic Documents Act (“PIPEDA”), a privacy policy is likely to form part of the obligation to obtain informed consent from data subjects for data processing. Didomi’s guide to PIPEDA can be accessed here.
At a regional level, Alberta and British Columbia have adopted additional requirements under the Personal Information Protection Act (“PIPA”), and Quebec has adopted its own legislation under Law 25. You can read Didomi’s detailed breakdown of Quebec’s regime here.
Australia
The Privacy Act of 1988 requires all Australian Government agencies and organizations with annual turnover of more than 3 million AUD to publish a privacy policy. Whilst smaller businesses are not currently covered, they may still wish to produce a notice as a matter of commercial awareness.
USA - California
There is currently no federal privacy law in the USA. However, the California Consumer Privacy Act (“CCPA”) requires businesses to provide notice to consumers before collecting their personal data. In practice, this is likely to always involve publishing a privacy policy. Read Didomi’s full guide here.
USA - Nevada
The Nevada Internet Privacy Law and Senate Bill (“SB 220”) governs privacy requirements for businesses operating in Nevada. Specifically, the Nevada Revised Statutes Chapter 603A creates the requirement for businesses to display a Privacy Policy. Read our full regime guide here.
South Africa
The Protection of Personal Information Act (“POPIA”) places strict requirements on businesses in South Africa to inform data subjects about the collection and use of their data. Practically, this is likely to involve publishing some form of privacy policy. Read our guide to the South African regime here.
What should a privacy policy include?
In most cases, you should be able to create a privacy policy yourself. There are countless resources, templates and checklists out there to help you formulate a policy which suits the needs of your business and complies with your legal regime.
However, if you are a particularly large organization with complex data practices (especially ones which cross international borders) it may be worth consulting a specialist advisor to ensure that you get it right.
Because every jurisdiction has its own rules, it is not possible to compile a universal list of everything that should be included in a privacy policy. You should refer carefully to the law in your country or state to ensure that you have included everything which is required to stay compliant.
As a starting point, however, most policies should include the following information:
What personal information is being processed
This sounds simple - but even an average website can collect extensive amounts of information. It is likely that you will need to undertake a thorough audit of your organization processes (from functional and statistical purposes to marketing) to ensure that you compile an accurate list.
It is mandatory to inform the data subjects about the categories of personal data that is processed. In case where the personal data is not collected directly through the data subject (indirect collection), the source of the data must also be provided.
The legal basis for processing
This will depend on your jurisdiction. In most cases, your privacy policy should state the legal basis that you rely on for your data processing operations (for example, Article 6 of the UK GDPR).
In limited circumstances, local laws will actively require an individual to provide certain personal information (for example, in the case of law enforcement). If this is the case in respect of any of your data collection activities, ensure that you clearly cite the relevant statutory or contractual authority.
The purpose for processing
Why are you collecting people’s personal information? This is not the same thing as the legal basis for collection - you need to clearly set out the reasons that you need people’s details, and what you plan to do with them.
Be specific - it is likely that your organization will collect personal data for more than one purpose (for example, web operations, marketing, or sales processing).
Data storage and retention
You should clearly set out how personal information will be stored - and how long for. If you are not able to provide a specific data retention period, you should, as a minimum, explain what criteria you will use in order to make a decision about how long to hold any given personal details.
Third party sharing
Many businesses will need to share personal information with other organizations as part of their operations. If this applies to you, make sure that you clearly state who these third parties are - including any other organizations who are processing the data on your behalf.
You should be as specific as possible about who these parties are, when information will be shared with them, and why.
Cross-border sharing
If your operations involve transferring people’s personal information to any organizations or countries outside of your jurisdiction, you should make sure that this is stated - as well as what safeguards you have in place to ensure that the information remains protected.
If you are sharing across borders, the information that you provide must also be compliant with the receiving regimes.
Cookies
Given the vast usage of cookies worldwide and the particular technologies involved, many regimes require a separate statement or pop-up to deal with them - but this can also be incorporated into your privacy policy.
At a minimum, you will need to inform your users that you are using cookies, why, the lifespan of the cookies (according to caselaw), and the identity of the vendors. Under most regimes, you will also be required to seek user consent before using cookies at all.
Learn how to easily create a comprehensive cookie policy here.
Data subject rights
This is one of the most important parts of any privacy policy - you need to clearly inform your customers of their rights over their personal information.
The nature of these rights will be dependent on the laws in your country - but they are likely to include the right to access a copy of data collected about a person, and the right to rectify or erase it.
Consent and opting out
The laws governing consent vary considerably by country. It is critical to state, clearly and separately to other data subject rights, when consent is required for the processing of personal information, how that consent is to be given, and how it can be withdrawn or refused.
The process for withdrawing or refusing consent should be as simple and easy as it is to grant it. A pop-up alert is often used for this.
Contact details
Under all regimes, you will need to clearly state who you are, and how customers can contact you in relation to their personal information. Unless you are a very small business, you should usually have a designated individual or team (usually a data protection officer or equivalent responsible person) to deal with privacy matters - if this is the case, their contact information should be provided.
Under the GDPR, you must provide the identity and contact details of the controller and, where applicable, of his representative, as well as the contact details of the DPO or point of contact.
Complaints
Under some regimes (for example, the GDPR), data subjects have a right to complain to their relevant supervisory authority in the event that you infringe their privacy rights. If this applies, you should provide the name and contact details of that supervisory authority. For example, in the UK, this would be the Information Commissioner’s Office.
Automated decision-making
If your organization makes any automated decisions about data subjects, your policy should clearly inform users about how this is carried out, how it might affect them, and how to request information about how a decision has been made (for example, refusal of a bank loan).
This can be a complex area, but it is important to make your process, and its impact on your customers, as clear as possible.
How to write a privacy policy
Writing a privacy policy entails a few key elements, starting with the language you will use to the actual format of the policy, which jurisdiction you operate in and the processes in place to update the content.
Language and tone
Regardless of how simple or complex your data practices are, it is essential that your privacy policy itself is written in a clear, accessible and easy to read format, and that it is made available to consumers free of charge. You should also provide a version for visually impaired users.
Try to avoid vague or complex language. A useful rule of thumb is to write as though you were speaking to a child. As far as possible, you should steer clear of ambiguous words like “may”, “might” or “some”. Instead, try to use the active tense - “we will”.
Although you can choose to create a policy from scratch, there are lots of templates and guides out there to help you. We have included some examples later on in this article. Never be tempted to simply copy someone else’s policy - it is highly unlikely to be tailored to the needs of your business.
Format
Your privacy policy can take the form of a web page, pop-up, or downloadable document - the important thing is that you provide it immediately at the point of collection.
It should also be easy for consumers to return to at a later date. If you are collecting information by email, you should also ensure that your policy is included or clearly linked in the footer. The same goes for online forms.
Jurisdiction
As stated above, your privacy policy must be specific to your organization’s operations, industry, and jurisdiction. Remember that the location of your customers is just as important as the location of your base.
For example, if you are based in Canada but have website visitors from Europe, your privacy policy must comply with the GDPR as well as with Canadian laws.
Updating
Creating a privacy policy is not a one-off activity that you can walk away and forget about once it’s done! Technologies and regulatory landscapes are constantly changing - it is important to keep your policy under regular review, and update it as needed as the legal environment evolves.
Penalties for non-compliance to privacy policy requirements
The consequences for failing to comply with privacy policy requirements vary considerably depending on legal jurisdiction. In general, penalties range from hefty fines to prosecution and loss of commercial licenses. There are knock-on effects to be considered beyond legal penalties, as failure to display legal notices will also undermine consumer confidence and harm business reputation.
European Union
Under the GDPR there are two tiers of fines for non-compliance with privacy laws - and a failure to produce a suitable privacy policy could violate both.
For a tier 1 violation, the fine is 2% of your company’s annual turnover or 10 Million Euros, whichever is higher. A tier 2 violation is much more serious, amounting to 4% of your company’s annual turnover or 20 Million Euros, whichever is higher.
United Kingdom
The UK GDPR is currently under review by the government. At present, the ICO has powers to levy fines of up to £17.5m GBP (or 4% of a business’s global turnover).
It also has the power to issue assessment notices and carry out audits on organizations suspected of breaking the law.
Canada
Under PIPEDA, companies can be fined up to $100,000 CAD for privacy violations. In Quebec, organizations can face far greater fines of up to $25,000,000, or 4% of their worldwide turnover for the preceding fiscal year.
Australia
Under The Privacy Act of 1988, the maximum penalty is currently 2,220,000 AUD. However, this is set to dramatically increase to whichever is greater - 10 million AUD, three times the benefit obtained through misuse of personal information, or 10% of a company's annual domestic turnover.
California
Unintentional violations of CCPA incur a penalty of $2,500 each. For intentional violations, this jumps up to $7,500. Individual consumers also have the right to sue businesses for breaches.
Nevada
Under Nevada’s privacy laws, fines can be imposed on businesses of up to $5,000 per violation. Unlike in California, there is no private right of action for consumers.
South Africa
Under POPIA, the Information Regulator can fine an organization up to ZAR 10 million (approximately 490,000 Euros) for violations of the law. Individuals can also face imprisonment of up to 10 years.
Key takeaways
- A privacy policy sets out the way that your business collects, uses, shares, and manages people’s personal information. It should be displayed at the point of collection.
- A robust privacy policy not only ensures legal compliance and helps you to avoid hefty fines - it also establishes a foundation of trust with your customers, enhancing your reputation as an organization which takes data protection seriously.
- Privacy laws vary considerably by state and country. You should ensure that you identify the relevant legal framework which applies to your business - bearing in mind that this is determined not only by your location, but by the location of your customers.
- In most cases, you should be able to draft your privacy policy yourself - the resources provided in this article are a great starting point. However, for large and complex data processing operations, it is best to consult a specialist to ensure that nothing is missed.
- The key thing to remember when drafting a privacy policy is accessibility. Above all else, it is imperative to make sure that your policy is clear and easy to understand - for everyone.
- Privacy policies should be regularly monitored and updated as the legal landscape evolves. The way that the world uses and regulates personal data is changing fast - don’t get complacent and risk being left behind.
To learn how Didomi can help with your privacy policy and other compliance challenges, schedule a call with one of our experts:
