Privacy policies are necessary to explain how a company collects, stores, uses and shares data about its customers or users, and the types of data that is collected. Most of this data is considered Personal Identifiable Information (PII) and may include a person’s name, email, address, phone numbers, credit card number, birth date, gender, age or any piece of information that identifies a person.
It’s remarkable how few people read privacy policies, given that this is personal data we likely wouldn’t willingly share with strangers. The Boston Globe recently explained the importance of these privacy policies this way: “Few people read the privacy policies that are part of most major websites. But they amount to a contract, promising visitors that the site will set reasonable limits on how it will use personal data.”
Fast Company reported on a new survey by Pew Research Center that found more than half of the 4,727 U.S. adults surveyed didn’t understand that privacy policies are contracts between websites and users about how those sites will use their data. In essence, most people are unknowingly signing away their rights to their own data. They blindly trust that the companies behind the websites they visit are being good stewards of their data. It’s only when there’s a publicized breach that they question their privacy practices.
The Online Trust Alliance develops privacy and security standards for online sites. It surveyed 1,200 commercial and government sites and discovered 70 percent had adequate privacy policy standards and many of them promise to share the PII data they collect only with organizations that have strong privacy policies. Great intentions, but the fact is, the average company shares data with 750 different vendors, even though they think they share with only 40.
Disclosure of privacy policies may seem easy enough, but many factors complicate matters. It’s one thing to publish your privacy policy in plain language, a requirement for GDPR and CCPA compliance. It’s quite another to be fully transparent, secure and thoughtful about how you deal with online data privacy.
Here are just a few of the issues that make practicing ethical, responsible data privacy so challenging.
Depending on where your company is located, privacy policy laws vary. The United States has yet to pass a comprehensive law governing the collection, storage or use of personal data. It’s up to the states to protect their residents.
Comparitech scored each state on how its laws governing online privacy compares with other states. Not surprisingly, California ranked at the top of the list, earning a score of 75 for its tough privacy and data protection laws. The state goes so far as to include “an inalienable right to privacy” in its state constitution and passing the California Consumer Privacy Act of 2018 (to go into effect January 1, 2020) that gives California residents unprecedented control over their personal online data. The worst scoring state? There was a tie between Mississippi and Wyoming. According to Comparitech, Wyoming employers “are not barred from forcing employees to hand over passwords to social media accounts.”
For companies with an online presence and who operate in different states, keeping track of each state’s laws is difficult and often manual process. For states with stricter regulations, a misstep in privacy practices can result in penalties.
Thanks to the Internet, companies today have customers and website visitors from all over the world. While the world is flat, giving rise to immeasurable opportunities, it also poses a distinct problem for companies who must adhere to different privacy laws across states and countries. The EU and California are not the only regions with strict privacy regulations and more regulations are sure to come.
Organizations with an online presence must be compliant with the privacy laws of dozens of countries, as well as display consent dialogs in native languages and record consents and revocations for cookies. This is nearly impossible to do manually for each website visitor, putting companies at high risk for non-compliance.
As stated earlier, privacy policy laws are constantly being updated - not only in the state where your organization is based but in every state where you may have offices, customers and vendors. It’s challenging enough to stay on top of your own state privacy policy laws. The onus is on each company to keep up. Monitoring changes in other states and countries and then adapting your practices to comply is more than a full-time job.
One of the elements of these privacy policy laws is user consent. Your company must disclose your privacy policies and give users the option to consent or revoke your request to collect their personal data through the use of cookies. Most companies embed a cookie consent box on their website that does one of three things: ask users to give consent; ask users to decline consent; or inform users that by continuing to use the site, they implicitly give consent. From there, you must manage those preferences so that if a user requests to see it, you can provide verifiable proof.
But that’s not all. When your users revoke the use of cookies on your site, they are also revoking the use of third-party cookies that may be embedded on your site, even without you knowing it. These may be pixels or social. It’s still up to you to comply with your users’ wishes and track their preferences, yet with third parties running scripts on your site, you have little control unless those unsanctioned third parties are blocked.
Even when you think you’re doing all you should to espouse responsible privacy policy practices, you may be missing something. Your vendors. Your vendors can put you at great risk and get you into trouble if you don’t keep tabs on them. Because you are trusting your vendors with your data, you have to be sure they respect that data as much as you do.
Keep in mind that their privacy practices may frequently change. That means you have to continually monitor their practices and determine whether they are putting you at unacceptable risk. If they have a breach, for instance, will your customers, the Department of Justice and the media blame you or them or both?
To make things more complicated, your vendors also have vendors who may use the data you’ve shared. You can see how quickly your web of vendors grows. It’s critical to track all of your third- and fourth-party vendors so you can prove you were doing your due diligence.
Privacy laws and regulations are complicated, but compliance doesn’t have to be. What was once a highly-manual process has been modernized with the help of technology. Today, companies can automate consent management, vendor risk monitoring, privacy policy change management, and privacy law changes. You have visibility into that complicated web of vendors, seeing exactly how well each vendor and their vendors are protecting your user data.
With a single line of JavaScript on your website, your website is instantly compliant to any data privacy law, even if it has third-party cookies. All consents and revocations are recorded and searchable with a click for responsible data governance.
That means instead of dedicating resources to a nearly impossible task, you can ensure your website is compliant in every state and country in only minutes. You can track privacy ratings for thousands of vendors to understand your risk instantly over time. You can be alerted when a vendor changes their policies and when privacy laws are added or changed.
Data privacy policies are more than a big deal; they are everything. Consumers are increasingly looking for transparent companies and 75 percent of Americans say they are not okay with companies using their personal data. Even more eye-opening is the fact that 72 percent of adults support a national privacy protection law. Protecting user data is not only the right thing to do, but it is also quickly becoming a differentiator amongst brands.