Around the world, collective privacy awareness is gathering steam. As more personal information is shared online, governments are responding to a heightened demand for transparency by the companies who handle it - and consumers are becoming increasingly aware of their data protection rights.
Regulating the digital space has always been a challenge. Data regularly crosses international borders, and privacy frameworks in different countries do not always align directly with one another.
In this article, we will explore the different laws governing privacy policies across the world, before taking an in-depth look at how to create a policy which keeps your organization compliant, transparent, and accountable.
There are a number of reasons why privacy policies are required, the three most important being:
Whilst not every regime is equally prescriptive as to form and content, they all require that people are informed in some way about how their personal information is being used. A well drafted policy demonstrates compliance, and is likely to protect you against costly enforcement action.
By communicating honestly about what, how, and why you are using their information, you hand back control to the consumer. In the event of a dispute or complaint, a clearly written policy is also a valuable reference point which can be used to protect parties on both sides.
As data awareness grows, consumers are increasingly reluctant to engage with businesses if they do not have confidence that their information will be kept safe. A strong privacy message reassures the market that you are not blindly mining data for profit.
If either of these cross into more than one jurisdiction, you must ensure that your policy complies with the law in each. This can sometimes be accomplished by one policy - but if your operations cross multiple borders, it may be necessary to create individual policies under each regime.
The European Union
Under the General Data Protection Regulation (“GDPR”), any organization that processes the personal data of EU residents must comply with transparency and accountability rules.
The United Kingdom
The UK General Data Protection Regulation (“UK GDPR”) is currently under review with pending reforms. Current requirements governing the need for privacy policies are found under Articles 13 and 14. Check out Didomi’s detailed guide to the UK regime here.
At a regional level, Alberta and British Columbia have adopted additional requirements under the Personal Information Protection Act (“PIPA”), and Quebec has adopted its own legislation under Law 25. You can read Didomi’s detailed breakdown of Quebec’s regime here.
USA - California
USA - Nevada
However, if you are a particularly large organization with complex data practices (especially ones which cross international borders) it may be worth consulting a specialist advisor to ensure that you get it right.
As a starting point, however, most policies should include the following information:
What personal information is being processed
This sounds simple - but even an average website can collect extensive amounts of information. It is likely that you will need to undertake a thorough audit of your organization processes (from functional and statistical purposes to marketing) to ensure that you compile an accurate list.
It is mandatory to inform the data subjects about the categories of personal data that is processed. In case where the personal data is not collected directly through the data subject (indirect collection), the source of the data must also be provided.
The legal basis for processing
In limited circumstances, local laws will actively require an individual to provide certain personal information (for example, in the case of law enforcement). If this is the case in respect of any of your data collection activities, ensure that you clearly cite the relevant statutory or contractual authority.
The purpose for processing
Why are you collecting people’s personal information? This is not the same thing as the legal basis for collection - you need to clearly set out the reasons that you need people’s details, and what you plan to do with them.
Be specific - it is likely that your organization will collect personal data for more than one purpose (for example, web operations, marketing, or sales processing).
Data storage and retention
You should clearly set out how personal information will be stored - and how long for. If you are not able to provide a specific data retention period, you should, as a minimum, explain what criteria you will use in order to make a decision about how long to hold any given personal details.
Third party sharing
Many businesses will need to share personal information with other organizations as part of their operations. If this applies to you, make sure that you clearly state who these third parties are - including any other organizations who are processing the data on your behalf.
You should be as specific as possible about who these parties are, when information will be shared with them, and why.
If your operations involve transferring people’s personal information to any organizations or countries outside of your jurisdiction, you should make sure that this is stated - as well as what safeguards you have in place to ensure that the information remains protected.
If you are sharing across borders, the information that you provide must also be compliant with the receiving regimes.
At a minimum, you will need to inform your users that you are using cookies, why, the lifespan of the cookies (according to caselaw), and the identity of the vendors. Under most regimes, you will also be required to seek user consent before using cookies at all.
Data subject rights
The nature of these rights will be dependent on the laws in your country - but they are likely to include the right to access a copy of data collected about a person, and the right to rectify or erase it.
Consent and opting out
The laws governing consent vary considerably by country. It is critical to state, clearly and separately to other data subject rights, when consent is required for the processing of personal information, how that consent is to be given, and how it can be withdrawn or refused.
The process for withdrawing or refusing consent should be as simple and easy as it is to grant it. A pop-up alert is often used for this.
Under all regimes, you will need to clearly state who you are, and how customers can contact you in relation to their personal information. Unless you are a very small business, you should usually have a designated individual or team (usually a data protection officer or equivalent responsible person) to deal with privacy matters - if this is the case, their contact information should be provided.
Under the GDPR, you must provide the identity and contact details of the controller and, where applicable, of his representative, as well as the contact details of the DPO or point of contact.
Under some regimes (for example, the GDPR), data subjects have a right to complain to their relevant supervisory authority in the event that you infringe their privacy rights. If this applies, you should provide the name and contact details of that supervisory authority. For example, in the UK, this would be the Information Commissioner’s Office.
If your organization makes any automated decisions about data subjects, your policy should clearly inform users about how this is carried out, how it might affect them, and how to request information about how a decision has been made (for example, refusal of a bank loan).
This can be a complex area, but it is important to make your process, and its impact on your customers, as clear as possible.
Language and tone
Try to avoid vague or complex language. A useful rule of thumb is to write as though you were speaking to a child. As far as possible, you should steer clear of ambiguous words like “may”, “might” or “some”. Instead, try to use the active tense - “we will”.
Although you can choose to create a policy from scratch, there are lots of templates and guides out there to help you. We have included some examples later on in this article. Never be tempted to simply copy someone else’s policy - it is highly unlikely to be tailored to the needs of your business.
It should also be easy for consumers to return to at a later date. If you are collecting information by email, you should also ensure that your policy is included or clearly linked in the footer. The same goes for online forms.
For a tier 1 violation, the fine is 2% of your company’s annual turnover or 10 Million Euros, whichever is higher. A tier 2 violation is much more serious, amounting to 4% of your company’s annual turnover or 20 Million Euros, whichever is higher.
The UK GDPR is currently under review by the government. At present, the ICO has powers to levy fines of up to £17.5m GBP (or 4% of a business’s global turnover).
It also has the power to issue assessment notices and carry out audits on organizations suspected of breaking the law.
Under PIPEDA, companies can be fined up to $100,000 CAD for privacy violations. In Quebec, organizations can face far greater fines of up to $25,000,000, or 4% of their worldwide turnover for the preceding fiscal year.
Under The Privacy Act of 1988, the maximum penalty is currently 2,220,000 AUD. However, this is set to dramatically increase to whichever is greater - 10 million AUD, three times the benefit obtained through misuse of personal information, or 10% of a company's annual domestic turnover.
Unintentional violations of CCPA incur a penalty of $2,500 each. For intentional violations, this jumps up to $7,500. Individual consumers also have the right to sue businesses for breaches.
Under Nevada’s privacy laws, fines can be imposed on businesses of up to $5,000 per violation. Unlike in California, there is no private right of action for consumers.
Under POPIA, the Information Regulator can fine an organization up to ZAR 10 million (approximately 490,000 Euros) for violations of the law. Individuals can also face imprisonment of up to 10 years.
- Privacy laws vary considerably by state and country. You should ensure that you identify the relevant legal framework which applies to your business - bearing in mind that this is determined not only by your location, but by the location of your customers.
- Privacy policies should be regularly monitored and updated as the legal landscape evolves. The way that the world uses and regulates personal data is changing fast - don’t get complacent and risk being left behind.