The Tao of a Privacy Notice
Privacy Plus+
Privacy, Technology and Perspective
The Tao of a Privacy Notice. This week, we’re calming down after seeing advertisements for $20 privacy notices and $175 “eu gdpr compliant privacy policies and notices” [sic] on independent-contractor websites.
Privacy notices are not $20 cut-and-paste documents. It’s 2022, and writing this sentence has a surreal quality, but apparently it is necessary as a caution. To be clear: No organization can cut and paste another someone else’s privacy notice and pass it off as their own, unless by some freaky coincidence the other organization’s underlying privacy program exactly duplicates the copier’s own. Doing so would be a material misrepresentation of privacy practices tantamount to fraud under FTC interpretations. Please don’t trust lawyers to prepare a privacy notice unless they can help your organization confirm the accuracy of your notice, and even then, don’t expect the lawyer to warrant that accuracy any more than they will verify your interrogatory answers (absent clear and complete instructions). They must, instead, have a robust understanding of your organization’s privacy practices before preparing your privacy notice, and it is your (the client’s) obligation to make sure they have the facts they need.
Finding harmony: Privacy notices and privacy practices. What is essential to understand is that privacy notices are meant to reflect (accurately) the key points of the noticer’s substantive, underlying privacy program. Obviously, such a program must first exist; otherwise the notice will be deceptive. It also seems obvious that the privacy program must include the policies and practices, including but not limited to data security practices, that are required by applicable law. One follows the other. Put another more poetic way: It’s like the Greek myth of Narcissus, who falls in love with his own reflection. A knock-out privacy notice can only exist as a beautiful and accurate reflection of an organization’s beautiful, substantive privacy program. Note that we don’t recommend falling in love with a static privacy notice because all privacy programs must evolve over time, and therefore, so must privacy notices.
First things first: Before broadcasting an organization’s privacy practices via its privacy notice, that organization must first understand its privacy risk. Think of privacy risk as the likelihood that individuals will experience problems because of how the organization processes personal information about them. In turn, think of “data processing” broadly, to include any action taken during the complete data life cycle (collection, retention, security, logging, generation, transformation, use, disclosure, sharing, transmission, disposal, and any other action with personal information).
To address privacy risk adequately, the organization must first know what it does with personal information, by examining its operations, records, systems, products, services, databases, website(s), app(s), cloud-based technologies, and its vendors and service providers to determine what it collects, owns, license, stores or otherwise maintains and why and how. It must also learn what it is required to so, understanding all the laws that apply to it. This requires an analysis of the jurisdictions and industry sector(s) in which the organization operates. Then the organization must determine whether and how it is doing what is required. Only then will the organization be ready to draft a privacy notice.
Drafting the Privacy Notice. While preparing a privacy notice shouldn’t cost an arm and a leg (or cause an organization to drown in self-reflection), the legwork required to prepare an accurate notice is considerable and can be costly. The privacy-notice wheel need not be constantly reinvented, but like any other wheel, it needs to be constructed carefully from the beginning and then regularly tested and reassessed. We are all in favor of squeezing a nickel to do the work of a dime, but something that is too cheap runs a high risk of misstating what the organization actually says and does, and thereby violating FTC policies against deceptive practices in commerce, not to mention many other specific privacy laws.
A good resource. For many organizations, we recommend a self-evaluation under the NIST Privacy Framework as a predicate to preparing a privacy notice. A link to the NIST Privacy Framework follows:
https://www.nist.gov/privacy-framework/privacy-framework
Note that NIST also maintains other helpful resources, including a mapping that charts NIST’s Privacy Framework against NIST’s Cybersecurity Framework. Other security/privacy frameworks also can be helpful, such as SOC 2 and ISO. There are also services available that can automate a portion of an organization’s compliance obligations under those frameworks in a manner that can be monitored through API connections and other integrations. However, compliance with privacy laws and the related maintenance of privacy programs and preparation of privacy notices requires a lawyer’s attention—preferably one who is well-versed in data privacy law.
---
Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.