S2 E4: Understanding Your Privacy Notice Obligations

Understanding Your Privacy Notice Obligations

Transcript

Jordan Eisner: Hello, everybody. This is Jordan Eisner, host of Compliance Pointers. I’m very excited to have my colleague and friend, Matt Dumiak, today.

Matt is the Director of Privacy Services at CompliancePoint. He’s been in that role for, I guess, about five years at this point, Matt, maybe a little bit longer.

Matt Dumiak: Yeah, a little bit longer.

Jordan Eisner: Previously, he was with CompliancePoint in the Marketing Compliance Group, which is, I like to call kind of legacy or old-school data privacy or privacy laws in the United States before GDPR and the emergence of the modern data privacy and everything we’ve seen after that with CCPA and the like.

But in total, right, what, 14 years at CompliancePoint?

Matt Dumiak: 14, going on 15 in August.

Jordan Eisner: So our listeners aren’t looking at us, so they can’t see you, but they might hear me refer to you as the privacy prophet throughout this podcast, as you’re known, you know, beyond our company and kind of in the privacy landscape abroad, right? With the ponytail and the beard.

Matt Dumiak: Yeah, I think that’s a perfect nickname.

Jordan Eisner: Yeah, exactly.

And today we’re talking about privacy notices. We’re going to break down what they are, what they need to include. How requirements vary between Europe and the U.S. or even state to state within the U.S. or maybe even within individual territories within Europe. But you know, where are there nuances and things you need to know about privacy notices and steps you can take to ensure your notices are meeting standards.

So Matt, first and foremost, what is a privacy notice?

Matt Dumiak: Yeah, that’s a good question. I think it’s something good to clarify as well, because when most people think about a privacy notice, they’re going to think about a privacy policy on a website, which that certainly serves as one, but we will use privacy notice more broadly because many of these privacy laws, if not the majority of them, would apply to both offline and online collection of personal information. So it really is meant to disclose to consumers or individuals what personal information a company is collecting or processing, how they’re processing it, all of those kinds of things.

So most commonly a privacy policy would serve as that, but again, even offline organizations who operate a brick-and-mortar only, but collect personal information, they might need to put that kind of notice on some type of contract. They might need to put it on the wall behind them or on the desk where the consumer’s providing that type of personal information. So it can be seen as fairly broad in the industry for sure.

Jordan Eisner: Or on their window next to their health score, if they’re restaurant.

Matt Dumiak: Yep, there you go. Exactly right. For their loyalty program or if you take a mint, maybe you have to give your email address, you would want to have that right next to that, right next to the health score. It needs to be that prominent. It’s that critical under these policy laws.

Jordan Eisner: Another thing to be judged on, right? Online reviews, health scores, and now your privacy notice.

So let’s talk about what needs to be included then, right? Because as I said at the top, it can vary from state to state. It’s different maybe in the US and European Union or Europe really since now, you got UK and they’re similar outside of the European Union, but similar privacy laws.

So talk about the requirements, right and where there might be variance.

Matt Dumiak: Yeah, sure. And I think even backing up while we’re talking about the privacy notices, this is a higher risk area to get right. It’s publicly facing. So a consumer or a regulator or a professional plaintiff can check out a website or check out a brick and mortar and see if they have a notice, if they have a privacy policy. So it’s really critical in ensuring that you have a privacy notice if it’s applicable, posted in the appropriate places.

And again, it’s because it is publicly facing. It’s going to be a higher risk item.

Jordan Eisner: Especially California, right? Where the CPPA might be looking to see that you’re honoring the CCPA, which was amended with the CPRA, right?

Matt Dumiak: So lots of fun acronyms there. You are correct. They are actively looking and investigating organizations to ensure that they are complying with the CCPA.  And so that includes anything from privacy notices, cookie consent, do not sell. And I should say, backing up with California, it’s not cookie consent per se, but allowing individuals to opt out of targeted advertising. But yes, they’re actively looking at an organization’s website, including the privacy policy and notice to ensure that it meets those requirements.

Jordan Eisner: And that’s March of this year, right? That’s enforceable?

Matt Dumiak: That enforceable date is March of this year. Exactly.

Jordan Eisner: And if I’m not a California company, but I’m doing business in California, should I be as nervous as a company headquartered in California about the CPPA?

Matt Dumiak: Yep, certainly should be. It applies broadly based on those scope and applicability requirements, including revenue and record count and things like that. But I think they’ll treat all those organizations equally, the CPPA will. I don’t think they’re only going to go after organizations that are headquartered in California. They’re really expecting robust compliance when this enforcement date hits. So it’s right around the corner.

Jordan Eisner: I interrupted your talk track. You’re talking about where it varies though.

Matt Dumiak: Yeah, absolutely. So kind of talked about why it’s so important and why it’s how it could be high risk based on being publicly facing.

Some things that are required, they are fairly common across both the United States and in the EU and Europe. You’ll have to outline what privacy rights consumers have. The privacy rights do vary by the European Union, Europe, the UK and the United States, but they are even getting broader here domestically. Common rights like right to be forgotten or right to be deleted, right to access, right to data portability, right to correct the personal information, things like that. Again, fairly common across the board from the state and over across the pond there.

So some interesting things, you’re required to outline how long you maintain personal information and for what purpose. I think somebody listening to this podcast might panic a little bit in hearing that. It can be spelled out in broad terms, but it does need to be accurate. So we don’t need to outline our retention schedule in our privacy notice or privacy policy, but we certainly do need to outline how long we’re maintaining it and what’s the personal information and what is really driving those retention requirements. Is it you have maintained it for as long as you need it and then you’ll delete it securely, whatever it might be, but it does need to be disclosed and specific enough to provide the consumer with that type of information.

Things like the sale and sharing of personal information. That is certainly more so on the domestic side in terms of like how you’re selling and sharing those definitions do vary by state. They can be pretty complex. It’s important to understand if you say you’re selling data in what context you’re doing that. Again, it can be interpreted broadly, so making sure that you go down that road and really analyze those definitions carefully.

That was one where we saw not to bring up, not to really focus too much on CCPA here, but one of the first enforcement under that was Sephora. Sephora stated they were not selling personal information when in fact they were selling personal information in a targeted advertising context. Again, something that was very easy for the AG to see and also the fact that Sephora said they weren’t doing something that they actually were.

I think that’s something that the regulators are going to focus on as well in terms of when they’re looking at a notice or a policy, privacy policy that’s on a website. If they see something where you say you’re not doing, if the organization states they’re not doing something and then they see very easily on the website that they are, that could be construed as being deceptive, there are other things to follow there. Pretty critical to make sure we get that right. Again, those definitions vary by state and can be somewhat confusing.

Jordan Eisner: Word of the wise. Tell the truth about what you’re doing with the data or at least don’t lie.

Matt Dumiak: Exactly. To quote one of your favorite authors. Exactly right.

Sources of personal information, categories of personal information. Of course, when the last update was for the privacy policy, important to have that there. It’s a requirement, but then also important to keep an eye on that. Make sure it doesn’t get too out of date given we’re supposed to update these notices at least every year annually. Those are some common requirements that you’ll see.

Then if you went in, especially in the US, but if you went across the pond there in the EU and the United Kingdom, things like DPO contact information, what lawful basis the organization is relying upon, some other very specific requirements there towards the GDPR that are important to include and not forget if you have a GDPR requirement.

Jordan Eisner: I think that’s helpful. Trying to break down the complexities.

What about on the state level? Where there were nuances from maybe the broader California or the GDPR. What about unique requirements?

Is it true that in Texas, if you weren’t born in Texas, the rules don’t apply to you because you’re not a native Texan? Just kidding.

But where are there some unique rules?

Matt Dumiak: Yeah. That’s a good example. I wouldn’t be surprised if that was written in there and maybe struck at one point. United States of Texas, we get it.

Texas does have a unique one. The sale of sensitive personal information. You have to make very specific disclosures around that, including all caps. It says in quotations in the law some things around sensitive personal information, the fact that you sell it. It needs to be pointed out clearly in its own section. That’s kind of unique in Texas, but it does apply to the sale of sensitive personal information, not the sale of personal information. So making sure we’re kind of aligned on that.

California, the do not sell/share link is somewhat unique in terms of the fact that there is this requirement as well that there is an option, I should say, to have your privacy choices, which is slightly softer than sale of personal information.

Typically our clients and a lot of organizations don’t generally enjoy putting on their website that they sell personal information because they don’t sell it in a traditional definition. They sell it in terms of sharing that personal information or doing targeted advertising with certain third parties. So a sale tends to make them look like a data broker.

So in California, your privacy choices could be a unique one, having that link, having that toll free number as well even.

Certain states are starting to pop up now with a right to appeal if you decline an access request, so a privacy right. So for example, if an organization says we didn’t honor a deletion request based on the fact that we couldn’t verify someone’s identity, that’s perfectly fine to do. However, you have to give that consumer instructions and the ability to appeal that request. And so it could follow similar steps in terms of how they submitted that request to begin with that right, and we’ll just stick with right to be deleted. How they submitted that request outright, but then the organization needs to disclose that in their privacy policy that consumers have the ability to appeal the steps and then even go beyond that.

And then we talked a little bit about this with the EU, but under GDPR, certainly more specific or unique requirements. And I know Jordan, you asked me to keep it to the states, but I don’t want to forget about GDPR even though I already mentioned it. DPO, EU representative, data transfers, lawful basis, the list goes kind of on and on there. And usually that would be seen as why a lot of organizations will split out kind of a domestic privacy policy versus a Europe, an international privacy policy, because those can use different terms and different terminology and definitions and things like that too.

So yeah, those are some of the nuances there to look out for.

Jordan Eisner: We’ve only been talking for a dozen minutes or so, and I’m already overwhelmed.

Matt Dumiak: That’s why it’s an important topic to discuss because we do get a lot of questions. There’s a lot of discussions about it and it’s high risk. So it’s important to get right.

Jordan Eisner: But I mean, organizations are doing it everywhere, right? I mean, privacy law has been around now. It’s not new. There are new laws for different states, but it’s not like they’re creating something that hasn’t really been seen for the most part. You mentioned right to appeal, starting to see some things like that.

So GDPR has been around. CCPA has been around. They’re changing. They’ve been amended. What do you still see companies facing from a challenge standpoint with creating notices?

Matt Dumiak: Yeah, that’s a good question. I think even realizing that we’re typically engaged to help an organization build out their privacy program. And so we might be coming in when they don’t have a lot in place or maybe they do have something in place and they want us to kick the tires on that, there’s a reason driving that. They’re uncomfortable or kind of concerned about some of the things going on.

Believe it or not, understanding what personal information they have, what personal information they’re collecting, processing, how they’re sharing it, what vendors they’re working with, what other businesses they might be sharing data with. All of those types of things are still a concern and a challenge for organizations to understand, especially if an organization is of significant size. So you talk about an enterprise.

When we’re working with an enterprise client, 500 million or above even, those types of activities, those sharing activities, the collection, it can be pretty complex. And a lot of the knowledge might sit with specific individuals from an institutional knowledge perspective. So it’s hard to hunt down and document, or at least they found that to be hard to hunt down and document typically why they would bring us in.

Another thing, and even I think a lot of organizations find this is these are laws. And so it is difficult to take what the requirement states and put it kind of in layman’s terms and easy to understand, easy to read. It’s typically a privacy policy or a privacy notice can become full of legalese pretty quickly if you’re not careful. Really complex, really confusing for the consumer. And in these laws, they also write that they need to be easy to understand. They shouldn’t include a lot of legalese. And so kind of translating that and ensuring that it’s easy to understand is a real challenge for sure.

Jordan Eisner: That’s how you earned the title privacy profit, not based on how you look, but the miracle that was putting those in the layman’s terms for organizations.

Matt Dumiak: That’s exactly it nothing to do with my looks or likeness.

And then even just to kind of like expand upon those challenges, keeping it accurate and updated. Things change all the time within an organization. They collect more personal information. They onboard new vendors. Like all these things have to be reflected in the privacy policy. So how do you keep it up to date and accurate to reflect your current processing activities?

That’s why even the CCPA and some other state laws would have a requirement to update the privacy policy on an annual basis, if not more often, to ensure that it’s accurately reflecting the processing activities. Stacking on top of it, all the state laws that passed last year, like these legislative sessions are becoming more and more, the states are becoming more and more successful at passing these laws. They now understand how to get these state privacy laws across the finish line.

Whereas in 2021, 2022, there were a lot of laws proposed, but not very many passed. Well, this past year in 23, I think it was nine laws, nine states passed privacy laws. They’re obviously getting the hang of it. They know what’s going to work and how to get that kind of work across the aisle to get that law passed.

So looking at that and managing all of that across all these single notice or a couple privacy policies or notices can become quite complex.

Jordan Eisner: Would you say the bigger companies struggle with it because at least a lot of times in my experience, they’re so siloed?

Matt Dumiak: Yep, exactly right. I think that’s a great point you call out there that they will work so siloed, maybe they know a lot about their area, but it’s really tough. I mean, I know maybe I sparked that with across the aisle, reaching across the aisle there, but there’s not a lot of, maybe they don’t serve or there are not a lot of committees that they have insight into. And so that’s why when we’re building out inventories and building out privacy notices and working with our clients in that regard, it’s a lot of committee work, but it’s also maybe the operations team or the privacy management office that can help us really understand kind of from a global level what that organization is doing.

Jordan Eisner: Yeah, it sounds cliche, but I mean, it really is a culture thing.

Matt Dumiak: Yeah, absolutely is.

Jordan Eisner: Sort of, I guess, getting to the end.

If you were an organization, right, or brought in charge of privacy or somebody brought us in, right? How do you simplify privacy notices?

Matt Dumiak: So there are a couple schools of thought on this. So to simplify an existing privacy notice, I think a lot of times when we see they’re overly complex is because they might have a different privacy policy section or privacy notice section for every state or every jurisdiction, which has some type of requirements. And now we’re going into GDPR and things. I know sometimes we see that might be all the states have a different section and they just outline, for example, that in Texas, here’s what our notice obligations are. In Virginia, here’s what they are.

Before you know it, the privacy policy is like 15 to 20 pages long just for domestic. It’s really redundant. The consumer is probably not going to scroll down and see what sections apply to them. I think you can take an approach of crosswalking these state privacy laws. A lot of them are somewhat similar.

Jordan Eisner: Common denominators, right?

Matt Dumiak: Right.

Common denominator and say, okay, well, these eight states have this requirement. Let’s kind of, instead of bulking, you can bulk the states and the requirement up to crosswalk those to make it simpler, both for the organization to manage, but also for the consumer to understand instead of that 30-page document that we do see on some websites.

So a similar approach there for GDPR, either splitting that off potentially for an international side if that’s a large part of your business and you feel like it’s appropriate to have an international privacy policy. If not, it could be a subsection in the notice or the policy. So that is certainly one way of doing that.

And then just having a regular cadence of updating it, regular cadence of auditing it, making sure it’s accurate. I can’t tell you how many times we go perform an assessment for an organization. We’re talking to their legal team. They give us a copy of their privacy policy. The most up to date and accurate one, we go look and check if it’s on the website and it’s a different version. It got lost in translation. They send it to the website team or to the development team. It didn’t get into the roadmap or didn’t get into the updates and the privacy policy has been out of date for two years.

Can’t tell you how often we find that through an assessment that it’s a different version of the privacy notice or policy on the website. So making sure that you have those updates, some audits in place, things like that to make it simpler for you instead of or an organization may at times feel like they’re chasing their tail really with these. I think that’s how companies feel a lot on the privacy front.

Jordan Eisner: Well, I think that’s good for now. We’ll get into more privacy things in the future, I hope. I hope you’ll come back.

Matt Dumiak: Hey, thanks for having me. I’d love to come back for sure.

Jordan Eisner: Part of the job, right?

Well, thanks everybody for listening. Just a reminder, we produce content like this on a regular basis, so don’t miss an episode. Subscribe today. We’ll have Matt on in the future and we’ll get another topics, information security, data privacy, and other regulatory compliance.

If you are interested in talking with CompliancePoint about your data privacy program, your privacy notices or other needs you have, please feel free to reach out.

You can connect with us via our website. There’s a lot of different links you would imagine there to email us or schedule meetings. The email address is connect@compliancepoint.com or Matt, aka the Privacy Profit. He’s on LinkedIn. Message him there. I’m on LinkedIn, but I understand why you would choose Matt over me even without being able to see him.

So that’s it. Thanks everybody.