There’s no doubt about it, consumer privacy laws are here to stay. Since 2018, countries around the world and a swath of U.S. states have dramatically changed policy direction with respect to privacy. New consumer privacy laws now set boundaries on use of consumer data by private companies and empower consumers with controls over their data floating around the digital marketplace. In response, companies everywhere are adjusting how they do business, at both the B2C and B2B levels, and consumers are more aware than ever about their choices in how their data is accessed and used.
In this new era of privacy awareness, having a robust and sophisticated privacy program signals to your customers that your company values their business, and they will enjoy a positive outcome using your product. Your company’s privacy policy is, of course, the most readily available message to your customers about how your company treats data, but your privacy policy is just the tip of the iceberg.
Merely a Reflection
In its best form, your privacy policy is a simple and accurate reflection of your company’s holistic efforts to incorporate privacy by design and by default. Underlying your company’s privacy policy is a system of company policies and practices designed to address an array of overlapping, and sometimes contradicting, legal standards. In its worst form, a privacy policy is copied from a competitor’s website and increases your company’s legal risk.
Beneath the Surface
Most of your company’s privacy efforts operate beneath the surface of public view but are nonetheless essential to serving customers in a manner that earns their trust and complies with the law. The privacy policy posted to your company’s website should be the consumer-facing summary of a holistic privacy program that is tailored to its industry, customers, and business operations. In general, a company’s privacy program should contain key components such as:
- Customer experiences designed to incorporate notice, consent, and opt-out requirements
- Marketing campaigns that meet opt-in and opt-out standards
- Vendor and service provider contracts with adequate privacy and data security requirements
- Data Privacy Impact Assessment and/or Legitimate Interest Assessment
- Information Security Program governing data security standards and internal company policies
- Data retention and destruction policies and schedules
- Employee privacy policies, training, and confidentiality agreements
- Insurance policies that cover information systems and data security incidents
Additionally, your company’s privacy program should be designed to address the laws that apply to your company today and structured to accommodate your company’s growth tomorrow. In practice, that means a program that does not hold your company accountable for laws to which it is not subject, but also avoids having to rebuild core processes to capitalize on the next big growth opportunity. An attorney specializing in privacy law can help to implement and maintain a program that work for and grows with your company.
In Full Scope
Privacy readiness and compliance is so much more than an updated privacy policy. It is incorporating privacy standards and principles into each process of your business, each backed by company policies and practices. Implementing and maintaining a robust and holistic privacy program converts your company’s privacy policy from mere words on a webpage to a valuable tool that reduces legal risks and demonstrates the company’s privacy prowess to its customers. Whether your company’s goal is to mitigate legal risks or to outshine the competition, a well-designed privacy program is always a good investment. Companies are welcome to contact Immix Law Group to learn more.
About the Author: Emily Maass
As a corporate attorney with an extensive background in privacy and data security, technology, export controls, and commercial transactions, Emily represents clientele across the business life-cycle to provide innovative, multi-faceted solutions that helps companies achieve their commercial goals.
For further information, please email emily.maass@immixlaw.com.