For those who are trying to comply with new comprehensive consumer privacy laws in California, Colorado, Connecticut, Utah, and Virginia, some of the requirements are easy to figure out. The most obvious requirement? Every organization subject to the new laws needs a privacy policy on their website.
Of course, once you figure out what needs to go into your policy (and if you are struggling with that, the SixFifty Privacy module can help!), you have to figure out what to do with the policy. Are you posting it in the proper places? The rules about what to do with your policy come from the laws themselves but also the regulations implementing them—both of which are subject to updates. So, here’s a primer on what to do (at least until the regulations get updated … again) with your privacy policy.
Website footer policy
First, if you operate a website, create a link in your footer that has the word “Privacy” in the title. It might simply say “Privacy,” or it could say “Privacy Notice,” or “Privacy Policy,” or some other variation. Just be sure that it is very clear to readers that, if they want to know what your data privacy practices are, that link is where they should click.
Make sure that your link in the footer is obvious. Don’t try to hide it by putting it into small text or text that is difficult to read because the contrast level isn’t high enough. And be sure that it is visible on both desktop and mobile (if you’ve never optimized your site for mobile, now is the time! The good news is that optimizing the site will benefit your business overall, not just help you comply with privacy requirements). If you try to hide the ball with any of your required privacy disclosures, you may be committing a separate breach of privacy law by engaging in what is referred to as a “dark pattern.”
A user interface is considered a “dark pattern” if has “the effect of substantially subverting or impairing user autonomy, decision-making, or choice.” Translation? If you technically comply by making a required disclosure but try to hide it in tiny or unreadable print, you are impairing the user’s ability to make proper decisions and exercise choices because they haven’t been properly informed about what you are doing with their data and what their rights are. The “dark pattern” warning applies to everything related to privacy. If you try to subvert the intent of the law so that users will not exercise their privacy rights, or so that it is more difficult for them to exercise their rights, you may find your organization being investigated for the dark pattern itself, even if your privacy policy actually includes all the proper, required information.
Privacy policy in apps
In addition to your footer on your website, if you are operating an app, you need the privacy policy to be accessible in the app stores it can be downloaded from and on one of the initial pages of the app itself. The policy should also be accessible in the app’s Settings menu so that users can find it easily.
Pop-up notices
You may need to use “pop up” notices for some of your data collection practices. A pop up notice is often needed when you start doing something new or unexpected with data. Take for example a company that runs an app that helps people find coupons for restaurants or stores. Typically, the user types in the kind of coupon they are looking for and then can filter the results in multiple ways, including by city. However, the app also offers the option to turn on geolocation and get only those results within a certain radius of the user’s specific location. Specific geolocation information is considered sensitive personal data, and states will start requiring opt-in consent for sensitive personal information collection this year or otherwise regulate how it can be collected and used. This would be a situation where a pop up asking for the user to opt in to sharing their location would be appropriate. In addition to the general privacy notice, this enables you to meet the notice requirements for doing something that may be new or unexpected at the same time that it enables you to collect consent.
In-person notices
If your organization operates from brick-and-mortar storefronts or in other in-person locations, you may also need to provide on-site notices. At a storefront, a typical place for posting an on-site notice would include at the cash registers. This is usually an appropriate place because that is where most retailers collect personal information, including email addresses when customers sign up for rewards or other marketing promotions. Remember, no matter how you are collecting information, you need to give people notice at or before the point of collection.
Notice at a brick-and-mortar location is typically provided in a layered manner. “Layered notices” are notices that give a short version of the relevant privacy information along with a link to or instruction on how to access the full privacy policy. How much information is included in the first or “top” layer of a layered notice should be based on your evaluation of the situation—what is being collected? How are you interacting with the consumer? Is there anything that may surprise the consumer that you need to include in the top layer?
It isn’t practical to expect a typical customer to sit and read your entire privacy policy on a sign next to the register. For that reason, most retailers will post a sign that gives a brief description of their practices and directs the customer to the url for their full privacy policy or tells them they can ask an employee for a physical copy.
Here is a hypothetical example (though you would need to customize it to reflect your situation):
Dear Customers,
We may be collecting your personal information. To read our full privacy policy, visit us at storename.com/privacy or ask one of our team members for a copy.
In addition to signage directing consumers to your general policy, you may need additional signage if you are collecting sensitive information. Collecting video images via CCTV or other similar systems for security or other purposes does require prominent notice under privacy laws in the US. You should have visible signage informing consumers visiting your premises if you are recording them, taking photographs, or engaging in other activities that collect sensitive information. That signage should appear in the areas where the surveillance is occurring. If it is throughout your premises, the signage should be prominently displayed at the entrance so people are aware of the surveillance before they enter.
Telephonic notices
If you collect personal information over the telephone, you also need to provide notice to consumers who interact with your organization that way. This could include customers who are calling your customer support line or who are placing orders over the phone.
For telephonic interactions, you could have a recording inform consumers that you may be collecting their personal information (with a specific reference to collecting sensitive personal information if you may be collecting anything sensitive) that they hear before their information is collected, whether by talking to a support representative or by responding to recorded questions. This verbal reference should be followed by instructions on how to access the full privacy policy online. If you do not have a system that can support this type of prerecording, your employees should be trained to give this notice verbally before they collect personal information from the caller.
Paper copy
If you are collecting personal information by having individuals complete a paper form, such as by passing around sign in sheets or in other physical ways, consider including a paper copy of your privacy policy. It could be at the back of the form they are completing or posted on the table next to a sign in sheet. There is no one way to provide notice in these situations, but whatever you do needs to take into account the environment you are in, the type of interaction you are having with the individuals, and the sensitivity of the information. The more sensitive the information is, or the riskier the type of processing you will be engaging in (for example, if you plan to sell their data, that is a high-risk use), the more likely it is that you should be giving them their own personal copy of the privacy policy.
Chatbots
If your organization operates a chatbot or other interactive online tool, it is likely you are collecting some personal information in that tool. Although the privacy policy link should be clearly visible on the webpage or in the app they are using, it is a best practice to also give layered notice in the chatbot. This could involve informing the consumer that the chatbot may collect personal information and refer them to the full privacy policy via a link.
Employee notice
If you are subject to California’s Consumer Privacy Act and have any California employees, you also need to think about how you are providing notice to your employees. In addition to the general consumer notice, you need a notice for your employees, former employees, contractors, and job applicants about what you are collecting about them, what will happen with their data, why you are collecting it, and how long you will keep it. That notice needs to be given to these individuals at or before you collect their employment information.
The most likely places for posting this kind of notice include: via a link on your jobs application page if it is run online, via a direct email to current employees, by posting the notice on the intranet for current employees if your organization operates an intranet, by including it in your employee handbook, by physical paper copy if applicants apply in person, by verbal instruction on how to access the privacy policy online if you are collecting their information telephonically or via video call, and in termination paperwork for former employees. There may be additional places you may want to consider posting the privacy policy for individuals whose HR data you have collected or will collect based on how you interact with them and their data.
Conclusion
The notice requirements in the various states with consumer privacy laws are all slightly different, but it is possible to draft one policy that meets all of the requirements. You might also choose to take the approach of having a different notice for consumers in different states, depending on how you interact with individuals and their data. For many organizations, having one unified policy is the simplest approach. Once you make that decision, you need to review how you are collecting data and therefore how and where you should be giving consumers access to your privacy policy. This article hits on some of the most common situations, but there may be additional needs for notice locations based on how you do business. Also keep in mind the individuals whose data you are collecting. Consider what their expectations are. Being transparent about your data practices is the goal under the 5 state privacy laws that have already passed and in the new state privacy laws being considered in 20 additional states.
Disclaimer: The information included here is based on best practices across industries. It should not be construed as legal advice. Placement of privacy notices requires consideration of multiple factors, as indicated in this article. Please consult counsel if you are unsure of your posting requirements.
For more information about SixFifty Privacy tools, request a free demo!
