S2 E4: Understanding Your Privacy Notice Obligations
Understanding Your Privacy Notice Obligations
Matt is the Director of Privacy Services at CompliancePoint. He’s been in that role for, I guess, about five years at this point, Matt, maybe a little bit longer.
Matt Dumiak: Yeah, a little bit longer.
Jordan Eisner: Previously, he was with CompliancePoint in the Marketing Compliance Group, which is, I like to call kind of legacy or old-school data privacy or privacy laws in the United States before GDPR and the emergence of the modern data privacy and everything we’ve seen after that with CCPA and the like.
But in total, right, what, 14 years at CompliancePoint?
Matt Dumiak: 14, going on 15 in August.
Jordan Eisner: So our listeners aren’t looking at us, so they can’t see you, but they might hear me refer to you as the privacy prophet throughout this podcast, as you’re known, you know, beyond our company and kind of in the privacy landscape abroad, right? With the ponytail and the beard.
Matt Dumiak: Yeah, I think that’s a perfect nickname.
Jordan Eisner: Yeah, exactly.
And today we’re talking about privacy notices. We’re going to break down what they are, what they need to include. How requirements vary between Europe and the U.S. or even state to state within the U.S. or maybe even within individual territories within Europe. But you know, where are there nuances and things you need to know about privacy notices and steps you can take to ensure your notices are meeting standards.
So Matt, first and foremost, what is a privacy notice?
Jordan Eisner: Or on their window next to their health score, if they’re restaurant.
Matt Dumiak: Yep, there you go. Exactly right. For their loyalty program or if you take a mint, maybe you have to give your email address, you would want to have that right next to that, right next to the health score. It needs to be that prominent. It’s that critical under these policy laws.
Jordan Eisner: Another thing to be judged on, right? Online reviews, health scores, and now your privacy notice.
So let’s talk about what needs to be included then, right? Because as I said at the top, it can vary from state to state. It’s different maybe in the US and European Union or Europe really since now, you got UK and they’re similar outside of the European Union, but similar privacy laws.
So talk about the requirements, right and where there might be variance.
And again, it’s because it is publicly facing. It’s going to be a higher risk item.
Jordan Eisner: Especially California, right? Where the CPPA might be looking to see that you’re honoring the CCPA, which was amended with the CPRA, right?
Jordan Eisner: And that’s March of this year, right? That’s enforceable?
Matt Dumiak: That enforceable date is March of this year. Exactly.
Jordan Eisner: And if I’m not a California company, but I’m doing business in California, should I be as nervous as a company headquartered in California about the CPPA?
Matt Dumiak: Yep, certainly should be. It applies broadly based on those scope and applicability requirements, including revenue and record count and things like that. But I think they’ll treat all those organizations equally, the CPPA will. I don’t think they’re only going to go after organizations that are headquartered in California. They’re really expecting robust compliance when this enforcement date hits. So it’s right around the corner.
Jordan Eisner: I interrupted your talk track. You’re talking about where it varies though.
Matt Dumiak: Yeah, absolutely. So kind of talked about why it’s so important and why it’s how it could be high risk based on being publicly facing.
Some things that are required, they are fairly common across both the United States and in the EU and Europe. You’ll have to outline what privacy rights consumers have. The privacy rights do vary by the European Union, Europe, the UK and the United States, but they are even getting broader here domestically. Common rights like right to be forgotten or right to be deleted, right to access, right to data portability, right to correct the personal information, things like that. Again, fairly common across the board from the state and over across the pond there.
Things like the sale and sharing of personal information. That is certainly more so on the domestic side in terms of like how you’re selling and sharing those definitions do vary by state. They can be pretty complex. It’s important to understand if you say you’re selling data in what context you’re doing that. Again, it can be interpreted broadly, so making sure that you go down that road and really analyze those definitions carefully.
That was one where we saw not to bring up, not to really focus too much on CCPA here, but one of the first enforcement under that was Sephora. Sephora stated they were not selling personal information when in fact they were selling personal information in a targeted advertising context. Again, something that was very easy for the AG to see and also the fact that Sephora said they weren’t doing something that they actually were.
Jordan Eisner: Word of the wise. Tell the truth about what you’re doing with the data or at least don’t lie.
Matt Dumiak: Exactly. To quote one of your favorite authors. Exactly right.
Then if you went in, especially in the US, but if you went across the pond there in the EU and the United Kingdom, things like DPO contact information, what lawful basis the organization is relying upon, some other very specific requirements there towards the GDPR that are important to include and not forget if you have a GDPR requirement.
Jordan Eisner: I think that’s helpful. Trying to break down the complexities.
What about on the state level? Where there were nuances from maybe the broader California or the GDPR. What about unique requirements?
Is it true that in Texas, if you weren’t born in Texas, the rules don’t apply to you because you’re not a native Texan? Just kidding.
But where are there some unique rules?
Matt Dumiak: Yeah. That’s a good example. I wouldn’t be surprised if that was written in there and maybe struck at one point. United States of Texas, we get it.
Texas does have a unique one. The sale of sensitive personal information. You have to make very specific disclosures around that, including all caps. It says in quotations in the law some things around sensitive personal information, the fact that you sell it. It needs to be pointed out clearly in its own section. That’s kind of unique in Texas, but it does apply to the sale of sensitive personal information, not the sale of personal information. So making sure we’re kind of aligned on that.
California, the do not sell/share link is somewhat unique in terms of the fact that there is this requirement as well that there is an option, I should say, to have your privacy choices, which is slightly softer than sale of personal information.
Typically our clients and a lot of organizations don’t generally enjoy putting on their website that they sell personal information because they don’t sell it in a traditional definition. They sell it in terms of sharing that personal information or doing targeted advertising with certain third parties. So a sale tends to make them look like a data broker.
So in California, your privacy choices could be a unique one, having that link, having that toll free number as well even.
So yeah, those are some of the nuances there to look out for.
Jordan Eisner: We’ve only been talking for a dozen minutes or so, and I’m already overwhelmed.
Matt Dumiak: That’s why it’s an important topic to discuss because we do get a lot of questions. There’s a lot of discussions about it and it’s high risk. So it’s important to get right.
Jordan Eisner: But I mean, organizations are doing it everywhere, right? I mean, privacy law has been around now. It’s not new. There are new laws for different states, but it’s not like they’re creating something that hasn’t really been seen for the most part. You mentioned right to appeal, starting to see some things like that.
So GDPR has been around. CCPA has been around. They’re changing. They’ve been amended. What do you still see companies facing from a challenge standpoint with creating notices?
Matt Dumiak: Yeah, that’s a good question. I think even realizing that we’re typically engaged to help an organization build out their privacy program. And so we might be coming in when they don’t have a lot in place or maybe they do have something in place and they want us to kick the tires on that, there’s a reason driving that. They’re uncomfortable or kind of concerned about some of the things going on.
Believe it or not, understanding what personal information they have, what personal information they’re collecting, processing, how they’re sharing it, what vendors they’re working with, what other businesses they might be sharing data with. All of those types of things are still a concern and a challenge for organizations to understand, especially if an organization is of significant size. So you talk about an enterprise.
When we’re working with an enterprise client, 500 million or above even, those types of activities, those sharing activities, the collection, it can be pretty complex. And a lot of the knowledge might sit with specific individuals from an institutional knowledge perspective. So it’s hard to hunt down and document, or at least they found that to be hard to hunt down and document typically why they would bring us in.
Jordan Eisner: That’s how you earned the title privacy profit, not based on how you look, but the miracle that was putting those in the layman’s terms for organizations.
Matt Dumiak: That’s exactly it nothing to do with my looks or likeness.
Whereas in 2021, 2022, there were a lot of laws proposed, but not very many passed. Well, this past year in 23, I think it was nine laws, nine states passed privacy laws. They’re obviously getting the hang of it. They know what’s going to work and how to get that kind of work across the aisle to get that law passed.
So looking at that and managing all of that across all these single notice or a couple privacy policies or notices can become quite complex.
Jordan Eisner: Would you say the bigger companies struggle with it because at least a lot of times in my experience, they’re so siloed?
Matt Dumiak: Yep, exactly right. I think that’s a great point you call out there that they will work so siloed, maybe they know a lot about their area, but it’s really tough. I mean, I know maybe I sparked that with across the aisle, reaching across the aisle there, but there’s not a lot of, maybe they don’t serve or there are not a lot of committees that they have insight into. And so that’s why when we’re building out inventories and building out privacy notices and working with our clients in that regard, it’s a lot of committee work, but it’s also maybe the operations team or the privacy management office that can help us really understand kind of from a global level what that organization is doing.
Jordan Eisner: Yeah, it sounds cliche, but I mean, it really is a culture thing.
Matt Dumiak: Yeah, absolutely is.
Jordan Eisner: Sort of, I guess, getting to the end.
If you were an organization, right, or brought in charge of privacy or somebody brought us in, right? How do you simplify privacy notices?
Jordan Eisner: Common denominators, right?
Matt Dumiak: Right.
Common denominator and say, okay, well, these eight states have this requirement. Let’s kind of, instead of bulking, you can bulk the states and the requirement up to crosswalk those to make it simpler, both for the organization to manage, but also for the consumer to understand instead of that 30-page document that we do see on some websites.
Can’t tell you how often we find that through an assessment that it’s a different version of the privacy notice or policy on the website. So making sure that you have those updates, some audits in place, things like that to make it simpler for you instead of or an organization may at times feel like they’re chasing their tail really with these. I think that’s how companies feel a lot on the privacy front.
Jordan Eisner: Well, I think that’s good for now. We’ll get into more privacy things in the future, I hope. I hope you’ll come back.
Matt Dumiak: Hey, thanks for having me. I’d love to come back for sure.
Jordan Eisner: Part of the job, right?
Well, thanks everybody for listening. Just a reminder, we produce content like this on a regular basis, so don’t miss an episode. Subscribe today. We’ll have Matt on in the future and we’ll get another topics, information security, data privacy, and other regulatory compliance.
If you are interested in talking with CompliancePoint about your data privacy program, your privacy notices or other needs you have, please feel free to reach out.
You can connect with us via our website. There’s a lot of different links you would imagine there to email us or schedule meetings. The email address is firstname.lastname@example.org or Matt, aka the Privacy Profit. He’s on LinkedIn. Message him there. I’m on LinkedIn, but I understand why you would choose Matt over me even without being able to see him.
So that’s it. Thanks everybody.
Let us help you identify any information security risks or compliance gaps that may be threatening your business or its valued data assets. Businesses in every industry face scrutiny for how they handle sensitive data including customer and prospect information.