By Jason M. Schwent, Senior Counsel, Clark Hill
The enactment of the California Online Privacy Protection Act of 2003 created a need for commercial websites in the United States to provide an online privacy telling visitors how a company collects information from visitors of the site, how that information may be shared with others, and information on the process for accessing that information. Since that time, privacy policies became a somewhat routine and ubiquitous part of commercial websites. The preparation of those privacy policies was fairly innocuous and straight forward—often little more than a simple, accurate, recitation of company practices would suffice. But with the proliferation of state consumer data privacy laws and more enforcement activity by the Federal Trade Commission (“FTC”), the simple privacy policy is fast becoming a key regulatory disclosure, uniquely indicative of a company’s compliance practices and procedures.
Modeled in part on the expansive European Union’s General Data Protection Regulations (GDPR) which went into effect in 2018, state consumer privacy laws push companies to be more open with the public about their collection, use, and sharing of information they collect. Since 2018, the number of state consumer data privacy laws has quickly increased. Following the GDPR lead, states, again starting with California and the California Consumer Privacy Act, began passing comprehensive consumer data privacy regulations aimed at giving consumers increased rights in and to the information they provide to companies. Similar bills have now been passed in Colorado, Utah, Virginia, Connecticut and have been updated in California with the California Privacy Rights Act of 2020. In the past year alone, legislatures in the states of Iowa, Indiana, Tennessee, Montana, Florida, and Texas have each passed more comprehensive state consumer data privacy laws with more laws contemplated in even more states.
These state consumer data privacy laws require companies to provide information to the public about the information they collect, why they collect that information, what they do with the information, with whom they share that information, if they sell that information, how they protect that information, and when they delete that information. These statutes also provide the public with certain rights concerning the data that is collected from them by companies, including the right know what information is collected, to delete information, to prevent the sale of information, to correct erroneous information, and to transfer their information to another business. Regulations mandate that this information is required to be provided to the public prior to or at the time the information is collected.
Because commerce is increasingly conducted via the internet and mobile applications and since almost every company has a presence on the internet or a mobile application, website and mobile application privacy policies have become a key way companies can satisfy the requirements of these data privacy laws by making the required disclosures and allowing for inquiries to be made from the public. This elevates the importance of the privacy policy to one of the key documents in this entire regulatory process. For all companies, the privacy policy is key to satisfying regulatory obligations. But for companies operating in multiple states, the privacy policy must do more than simply report on the activities of the company—it must simultaneously satisfy multiple, specific regulatory requirements under multiple laws. Crafting a compliant privacy policy to meet the requirements of the increasingly complex patchwork of state consumer privacy regulations in place in the United States requires considerable analysis and consideration. These privacy policies must be thorough and attentive to all laws and regulations applicable to a business both currently and in the foreseeable future. They must be accurate (as false statements concerning data privacy practices can be considered an unfair or deceptive practice by the Federal Trade Commission and create liability for the company). And they must be updated regularly to account for the changing practices of the company and various laws. For too many companies, the thoroughness, attentiveness, accuracy, and contemporaneity required by these statutes and regulations is not reflected in their privacy policies, which leads to problems with the second reason these policies are so important.
The second reason that privacy policies are important is that they are a revealing window into the compliance operations of a business. As state regulations and laws have increased regarding consumer data privacy, so too has the need to enforce those regulations and laws. Doing so requires information on a company’s data collection, use, protection, transfer, and deletion practices – all information found in a well-crafted privacy policy.
For those working in data privacy and working with the ever-increasing regulations concerning the collection, use, protection, transfer, and deletion of consumer data, privacy policies are particularly enlightening documents. As noted earlier, because most companies’ compliance activities are internal to the organization and not readily ascertainable, without an audit of a company’s compliance program, it can be difficult to assess the thoroughness, thoughtfulness, and sophistication of a company’s compliance efforts. A privacy policy can provide insight in these areas. By examining the public privacy policy posted by a company on its website or mobile application, a regulator can quickly and accurately assess the compliance maturity and sophistication of the company. For a person familiar with data privacy law and the applicable regulations, the description provided in a privacy policy, the language used, the positions taken, and the policies set forth are as clear an indication of the business’ data privacy sophistication and posture as can be gleaned without an internal investigation of the business. And if that privacy policy has not been updated, uses language that is out of date or improperly addresses data privacy concerns, or if the privacy policy was simply copied from some other business and, is out of place or otherwise ill-fitted to the business otherwise described on the website or application, it will be glaringly obvious to those familiar with data privacy law. To a skilled regulator looking for a company which has not complied with state law, reading a website privacy policy that fails to address or improperly addresses consumer rights and business responsibilities can provide more than enough grounds to open an investigation into the company.
All of this regulatory activity now makes website and mobile application privacy policies key regulatory company documents. Careful thought should be given to the preparation of these documents as would be given to any other regulatory disclosure. These policies should be drafted with care by a skilled data privacy professional familiar with the regulatory requirements at issue in careful consultation with company officials. They should not be prepared from a form or borrowed from another company’s website. These policies should also be updated regularly to reflect current company practices, as an outdated privacy policy is an inaccurate privacy policy and equally troublesome from a regulatory perspective and potentially a source of regulatory liability.
There is no reason to believe that the regulatory wave of comprehensive state consumer data privacy laws is going to do anything but increase. So it is imperative that companies carefully consider their website privacy policies now, and moving forward.
The views and opinions expressed in the article represent the views of the author and not necessarily the official view of Clark Hill PLC. Nothing in this article constitutes professional legal advice nor is it intended to be a substitute for professional legal advice.
About the Author
Jason M. Schwent is Senior Counsel at Clark Hill, an international law firm. He is experienced in data privacy, intellectual property, and litigation making him a fierce advocate for his clients. His passion for protecting clients’ assets is evident whether negotiating a complicated enterprise software agreement with a Fortune 100 company or counseling a client following a data breach that exposed millions of users’ data,
Jason can be reached online at jschwent@clarkhill.com and at our company website http://www.clarkhill.com/