close
close
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
header image

Step Seven Craft a Meaningful Privacy Policy

The privacy policy is the central tent pole of your privacy program. It also plays an important role in your organization’s public relations.

Privacy policies have evolved from dense legal documents to being more consumer-friendly and educational. This is due, in part, to increased consumer data privacy awareness, and the operational influence of the GDPR’s plain-language transparency requirements. As a result, many companies are simplifying their privacy policies and making them easier to understand.

The standards and norms for presenting clear, easy-to-understand privacy information continue to evolve, including through regulatory enforcement. Most recently, the Data Protection Commission (DPC) found Meta Ireland in breach of GDPR partly for not providing clear and meaningful information about its legal basis for processing personal data. The DPC proposed substantial fines and directed the company to bring its privacy policy into compliance within a short period.

Learnings:

  • Make it easy for individuals to understand the extent of data processing by providing a single, easy-to-understand document or webpage covering everything.
  • Avoid making individuals search through multiple documents to find the information they need.
  • Instead of listing purposes and legal bases in the abstract, explain them in the context of the specific data processing activities.

Privacy Policy Ingredients

GDPR:

  • Information about the Data Controller: Provides the name and contact details of the company or organization that’s collecting and processing personal data.
  • Information about the Data Protection Oicer (DPO): Provides the name and contact details of the DPO, if one is appointed, as well as their role and responsibilities.
  • Purpose of Data Processing: Explains the reasons why personal data is being collected and processed, and what it will be used for.
  • Legal Basis for Processing: Explains the legal basis for collecting and processing personal data, like consent or performance of a contract concerning the data being collected and processed.
  • Data Retention: Explains how long personal data will be kept and the criteria used to determine the retention period.
  • Data Recipients: Explains who personal data will be shared with and for what purpose.
  • Data Subject Rights: Explains the rights of individuals regarding their personal data, like the right to access, correct, delete, or object to the processing of their data.
  • Security Measures: Explains the technical and organizational measures taken to protect personal data from unauthorized access, alteration, or destruction.
  • General Privacy Contact Information: Provides contact information for individuals to exercise their rights and acquire additional information regarding data protection.
  • Changes to the Privacy Policy: Explains the process for updating the privacy policy, and how individuals will be notified of policy changes.

CCPA 2.0 (as amended by CPRA):

  • Information about the Business: Provides the name and contact details of the company or organization that’s collecting and processing California personal information.
  • Information about the Data Collected: Includes the categories of personal information the company collects and the data source.
  • Information about the Purpose of Collection: Explains the business purpose for collecting personal data, and how it’ll be used.
  • Data Sharing and Disclosure: Explains whom the company shares personal information with and for what purposes. If the company sells or shares personal information with targeted ad providers, it must include instructions on how consumers can opt out of such selling and sharing.
  • Sensitive Personal Information Disclosure: Explains how the company may use and share sensitive data, and, if it does, whether/how consumers may limit the use and disclosure of this data.
  • Data Retention: Explains how long personal data is kept and the criteria used to determine the retention period.
  • California Privacy Rights: Describes the rights of California residents under the CCPA, like the right to access, delete, and opt out of the sale or sharing of personal information, and how to exercise these rights.
  • Security Measures: Explains the measures taken to protect personal information from unauthorized access, alteration, or destruction.
  • Contact Information: Provides contact information for individuals to exercise their rights and acquire additional information regarding data protection.
  • Changes to the Privacy Policy: Explains the process for updating the privacy policy, and how individuals will be notified of policy changes.
  • Notice at Collection: A just-in-time disclosure or a deep-linked section of the privacy policy which explains the categories of personal information being collected, the purpose for which it’s used, and the rights of the consumer under the CCPA.
  • Financial Incentives: Explains any financial incentives oered to consumers, as well as how they’re calculated and the method for opting in or out of the program.

Rather than starting completely from scratch, there are plenty of references to help you with your privacy policy and notice. You can visit this page for help writing a GDPR-aligned policy. The International Association of Privacy Professionals (IAPP) created this white paper to help companies write HR-related CCPA/CPRA privacy statements. Finally, it’s never a bad idea to research the many ways in which companies tackle this challenge.

Remember: Because particular transparency requirements can vary across jurisdictions, it’s up to you to adapt your disclosures, layout, and navigation accordingly. Don’t forget to make your privacy policy accessible, and to clearly mark it as “updated” in its pre-header.

icon

Bottom Line:

Individuals must have a clear understanding of what your organization is doing with their data. A contextualized, meaningful, and easy-to-understand privacy policy doesn’t need to be a wall of text. Working with a skilled designer can bring your transparency efforts to life.

How to Get Started

icon

Live Data Map in DataGrail is the start of a well-crafted privacy policy or notice.

Let your RoPAs be your guides. Standardize your descriptions and categorizations with our data processing taxonomy.

Meet your privacy rights obligations eiciently across all your brands.

icon

Request a demo to learn more about customizing your inventory system reports or intake forms.

We can refer you to trusted law firms and policy creation specialists for additional support.

icon

Connect with other pros (free) to talk about privacy policy writing, design, and curation. Join the Privacy Basecamp Community.