Step Eight Notify and Socialize
This isn’t just a PR best practice. In some cases, you may have a legal or regulatory obligation to send out policy update notices.
For example, the Federal Trade Commission (FTC) has stated in various consent decrees and guides, including their landmark 2012 Protecting Consumer Privacy in an Era of Rapid Change report, that “materially” changing a privacy policy and retroactively applying it to previously collected personal data uses could require the company to provide users with adequate notice and choice before the change.
In some cases, websites that have been acquired that had prior “no third-party data sharing” statements are prohibited from sharing the data even with a new parent company (see FTC v Toysmart).
Best (and expected) notification practices include:
- Sending a link to the updated policy via email with a summary of key changes and relevant links
- Adding a notification banner to your company’s homepage or regular email communications (marketing or transactional)
- Popping up an interstitial with a summary of changes and relevant links
- For businesses with annual notice obligations (e.g. financial services), mail out a printed copy
- For businesses with a physical presence, print a summary of the privacy policy and post it in a visible location (QR codes can drive readers to the online version)
Once you post your privacy policy, you need to decide on the business processes behind it, specifically the submission process for consumer privacy requests, and consumer management of applicable privacy preferences.
Best practices include:
- Offering a designated privacy request intake form: Request submissions via form help standardize your instructions. The information you need to verify identity and fulfill the DSR is provided up front. From DataGrail’s perspective, forms support the highest level of automation and consistency. From a consumer perspective, forms support quick and efficient request capture.
- Displaying consolidated opt-out/choice links: For example, California businesses must provide opt-out links saying "Do Not Sell or Share My Personal Information" and "Limit the Use of My Sensitive Personal Information" as applicable. Alternatively, they may consolidate these to say “Your Privacy Choices” or “Your California Privacy Choices.”
- Avoiding the use of a generic support channel for privacy requests: If you provide an email address, ensure the account is dedicated to receiving privacy rights requests (e.g., [email protected]). Avoid using your general support email address as a privacy request intake channel, as this can lead to misdirected messages, omissions, and missed regulatory response deadlines (typically 24 hours).
- Giving data subjects different methods to submit their privacy requests: California is the most prescriptive of the new generation of comprehensive U.S. state privacy laws. Most covered organizations need to provide at least two DSR intake mechanisms. These methods should align with how your company usually interacts with individuals. For example, it makes little sense for an internet-native company to accept requests by postal mail over a web form and email.
- Recognizing universal opt-out signals: California, Colorado, and other state privacy policies require companies to include information on how consumers can implement opt-out preference signals. This is in addition to instructions concerning other opt-out methods offered. Internet-native businesses should state their intention to honor signals in a frictionless manner.
Bottom Line:
An effective privacy program contributes to public (privacy) relations. New and “materially” updated privacy policies must be communicated. Key points, including how individuals may exercise their privacy rights, should be the hero of any socialization campaign. After all, consumers have the right to disagree with your data practices.
Expect consumers to respond to your update notifications. Some will want to exercise their privacy right to opt out of data selling/sharing.
Forward emails to DataGrail’s Request Manager or direct requests to your intake forms.
Forward emails to DataGrail’s Request Manager or direct requests to your intake forms.DataGrail integrates with transactional mailers Mandrill, SendInBlue, Postmark, Sparkpost, MailGun, SendGrid, and Amazon SES.
Request a demo to learn more about inbound emails or connecting to another email technology provider.
We can also refer you to trusted legal advisors to discuss “material” changes in your privacy practices.
Connect with other pros (free) to talk about best practices for policy updates and
notifications. Join the Privacy Basecamp Community.