How to draft a Privacy Notice from Above the Law Newsletter accessed today.

Drafting a Privacy Notice Checklist
Practical Law Intellectual Property & Technology
By THOMSON REUTERS
Oct 18, 2016 at 10:48 AM
Checklist 9-12-16This Checklist outlining key steps to take when drafting a privacy notice, also known as a privacy policy, statement, or disclosure. It highlights important benchmarks in developing a privacy notice, including applicable law and guidance, the proper format and approach, and post-publication considerations.

Understand How the Business Collects and Uses PII

Accurately disclosing a company’s PII practices first requires a full understanding of how the business collects, uses, shares, transfers, and stores PII. To do this:

Engage key employees who know how the business collects, stores, uses, and discloses PII to help develop and review a PII data map documenting:
the type of PII the business collects;
the people the business collects PII from, including where they reside;
how the business collects, uses, and shares PII;
why the business collects, uses, and shares PII;
the parties given access to PII, including all third-party service providers;
geographic locations where the business collects or stores PII;
the electronic systems that handle PII and the people responsible for those systems;
the PII data flows, including data transfer, sharing, storage, and exit points;
how long the business retains PII;
the security controls and safeguards deployed to protect PII; and
any future or anticipated PII collection or use needs.
Consider that key employees with relevant information may sit in:
operations;
human resources;
records and information management;
information technology;
marketing;
webpage design;
product development; or
legal.
Identify any collection or use of PII that may require special handling or additional disclosures, including:
precise geo-location;
biometrics;
information from or about children;
sensitive data, such as health or financial information;
any potential uses that are unrelated to or different from the original reason PII was collected;
individualized profiles or tracking of individualized activity;
online behavioral advertising (OBA), interest-based advertising (IBA), or similar advertising and marketing techniques; and
if and how the business’s websites respond to web browser Do Not Track (DNT) signals.
Review and understand how the technology employed to collect, store, process, use, control, access, and share PII works.
Identify any automated PII collection that may not be obvious to consumers, including:
electronic communication protocols;
cookies, flash cookies, pixel tags, or web beacons;
technologies used to track individual activity over time;
GPS; or
sensors.
Identify any privacy-related opt-out methods or other choice mechanisms and understand exactly how they work.
Determine Legal Requirements

The US does not have an overarching federal law setting privacy notice requirements or standards for all businesses. However, before drafting a privacy notice, businesses should consider:

Federal Trade Commission (FTC) guidance.
Relevant state law and guidance.
Sector-specific laws and self-regulatory guidance applicable to specific industries or activities.
Foreign laws.
Decide What Approach and Format the Notice Must Take

Based on the factual investigation results, choose the best privacy notice approach and format to fit the business’s needs. For example, consider a:
unified notice addressing all aspects of the business’s PII use in one document for uncomplicated businesses following one clear set of PII handling practices;
specific notice addressing a clearly defined subset of operations for complex businesses with diverse operations or businesses that need to call out particular privacy practices;
long-form or singular format for simple notices capable of clear presentation in one document;
layered format dividing the notice into segments for complex documents that can benefit from simplification or summarization;
just-in-time format for practices requiring a specific notice at the exact time the business collects PII; and
privacy center or centralized privacy setting to highlight consumers’ PII-related choices.
Consider sector-specific format requirements or standards. For more on:
GLBA format requirements; and
HIPAA format requirements.
Consider the different types of privacy notices the business may need, including, for example, notices specific to employees, web sites, mobile applications, or retail collection points. For a sample:
website privacy notice; and
mobile application privacy notice.
Draft the Privacy Notice

Keep the notice simple and straightforward: Say what you do and do what you say.
Write the notice in plain and clear English so that the reader can clearly understand it.
Include sections that disclose the following:
the notice’s scope and introductory statements;
what types of PII the business collects;
how the business collects, uses, and shares PII;
sector or geographic-specific disclosures;
individual choice, opt-out, or access mechanisms provided;
data security standards or practices followed;
revisions and updates to the notice; and
contact information and how to register complaints.
Clearly frame the notice’s scope by specifically identifying what it does and does not cover.
Specifically call out any:
sensitive data the business collects, stores, uses, or shares;
data uses or collections that may not be obvious or clear to the individual based on normal business interactions;
automated collection technologies employed; or
profiling or tracking of individual activity across devices or websites.
Clearly describe when and why PII may be provided to third parties, along with any restrictions or requirements the business places on those third parties.
Disclose other different, but important, PII uses and disclosures, such as to comply with court orders or legal requirements, defend the business, protect employees, or support mergers and acquisitions activities.
Include all required federal or state disclosures.
Provide effective consumer choice mechanisms for certain PII uses, particularly for marketing activities.
Clearly identify the notice’s effective date and the best method of contacting the company with complaints, concerns, or questions.
Clearly describe the process for communicating any future changes to the privacy notice.
Review the draft notice with key stakeholders to ensure it accurately reflects the business’s current and anticipated PII handling practices, including:
senior management;
business and technical employees responsible for PII policies and procedures;
operating units responsible for controlling PII collection, access, and use;
information technology groups responsible for PII security; and
legal counsel.
Engage others without technical, legal, or privacy backgrounds to review the draft notice to identify readability issues or descriptions requiring clarification.
Test any opt-out methods or other choice mechanisms described in the notice to ensure they work exactly as described.
Publish the Privacy Notice

Use publication and delivery methods that provide individuals with real and timely notice of the business’s privacy practices when they are deciding what information they should share, including:
online or website posting, with links provided wherever PII is collected;
email or other electronic means; and
postal delivery.
Let the context of the consumer interaction determine the best privacy notice communication method.
Consider any legal requirements around delivery. For example, GLBA, HIPAA, COPPA, and certain state statutes, set specific delivery requirements for their notices. For more information on statutes requiring specific delivery formats.
Clearly and conspicuously label the notice so it is easy for consumers to locate.
Post-Publication Considerations

Ensure employees are aware of the privacy notice statements and obligations when acting on behalf of the business.
Require employees to:
regularly read and acknowledge the privacy notice, similar to other important corporate polices;
attend privacy notice training courses, with additional training tailored for specific job functions; and
conduct a privacy notice review before implementing new technologies or changing current processes.
Establish policies and procedures for regularly reviewing privacy notices to:
audit the business’s compliance with the stated privacy notice;
test any individual opt-out or choice mechanisms to ensure they are working as expected; and
keep the notice up-to-date as changes in applicable privacy laws or PII-handling practices occur.
Implement effective procedures and technology to ensure compliance with privacy notice statements or individual opt-out requests.
Consider establishing a “privacy by design” program as part of the business’s product and development process.
Provide adequate notice of privacy policy revisions:
giving notice using the same method used for the initial privacy notice delivery;
prompting consumers to view the new notice on a website by posting a banner or other conspicuous notice;
alerting consumers of the new notice the first time they log into a website after the new notice has been posted; and
obtaining express consent for any new notice terms that are material retroactive changes, such as sharing PII with third parties after committing at the time of collection not to share that information.
If the business cannot obtain proper consents for material retroactive changes, implement procedures to segregate PII based on the various permitted uses.
Summary of Best Practices for Drafting Privacy Notices

Write the notice in plain and clear English and so that the reader can clearly understand it.
Understand how the business uses PII and relevant technology.
Tailor the notice to the business’s specific needs and structure.
Do not use a template approach that ignores the business’s actual practices.
Consult FTC, state laws, and other regulations or industry guidelines that provide minimum standards and best practices for data collection and use.
Do not collect sensitive PII unless it is absolutely necessary. If collecting sensitive PII is necessary, clarify why and include an explanation of how the business protects the data.
Allow consumers and others a cost-free way to opt out of the business using or maintaining their PII.
Make the notice easy to find and accessible.
Update the notice regularly to reflect changes and communicate changes to consumers.
Always include the notice’s effective date and retain copies of past versions.
Clearly communicate how consumers can contact the business with questions or concerns regarding the privacy notice and practices.
Ensure the privacy notice matches actual business practices and train employees.
Consider joining a well-respected privacy certification program to improve accountability and credibility.
For the full article complete with links to helpful ready-made resources on related topics, visit the Practical Law Checklist, “Drafting a Privacy Notice”, today!

***

Practical Law provides legal know-how that gives lawyers a better starting point. Our expert team of attorney editors creates and maintains thousands of practical resources across all major practice areas. We go beyond primary law and traditional legal research to allow you to practice more efficiently and improve client service. Request your free trial today >>

TOPICS

Thomson Reuters
s delson
The Dan Markel Case: A Most Interesting Email
Cell_Phone_Police_Searchocket: 10.20.16
happy-diverse-team-lawyers-partner-with-associates-300×205
How The Legal Industry Will Become Industrial: A Conversation With Axiom CEO Mark Harris
Soaked businessman standing beside group of people under umbrellas
The Waiting Is the Hardest Part — Part II
Trump’s proposal to drain the swamp would merely recycle the water.
About That Constitutional Amendment Trump Randomly Supports Now
‘Why can’t we pass the bar exam?’
Law School Posts Worst Bar Exam Passage Rates In Its Existence, Drags Down Entire State’s Passage Rates
Overworked and stressed!
Women Law Students Are Pissed About The Biglaw Pay Disparity
social-media-marketing
Non-Sequiturs: 10.19.16
Facebook on a screen
Stop Posting That Facebook Privacy Notice — Your Pseudo-Legalese Means NOTHING!
gavel money cash clerk clerkship bonus bonuses
Litigation Finance: What Lawyers Need To Know
sperm egg IVF in vitro fertilization
I Want To Put A Baby In You: Say Yes To The … Use Of A Deceased Son’s Sperm
privacy online privacy cyber privacy keyboard in chains
Explaining Privacy And Cybersecurity To A Corporate Board
FROM THE ABOVE THE LAW NETWORK
Exclusive Survey Results: Small Firms’ Greatest Challenges And What They’re Doing To Address Them
LAW SITES BLOG
Make Money Mondays: Uber or Lyft Your Clients
MY SHINGLE
Failing At The Finish Line – Losing Clients At The Front Door
THOMSON REUTERS
Another Two States Adopt Ethical Duty of Technology Competence
LAW SITES BLOG
Tax Firm Power Rankings
ABOVE THE LAW
Millennials, Boomers and Law Firms – Oh My!
THOMSON REUTERS
Everyman Litigation Firm Rankings
ABOVE THE LAW
Solos and Smalls Snagging More Big Clients: Here’s Why
MY SHINGLE

Checklist 300×250 9-12-16

SPONSORED CONTENT
Drafting a Privacy Notice Checklist
Practical Law Intellectual Property & Technology
This Checklist outlining key steps to take when drafting a privacy notice, also known as a privacy policy, statement, or disclosure. It highlights important benchmarks in developing a privacy notice, including applicable law and guidance, the proper format and approach, and post-publication considerations.

THOMSON REUTERS
RECENT JOBS
IP Associate
Location: Portland, Oregon
posted by Stoel Rives LLP
Employee Benefits Lawyer – Health & Welfare
Location: Seattle, Washington
posted by Stoel Rives LLP
Employee Benefits Lawyer – Retirement
Location: Seattle, Washington
posted by Stoel Rives LLP
In-House Tech Transactions Associate
Location: New York, New York
posted by Kinney Recruiting LLC
Business Development Account Executive(NY,NJ,PA)
Location: New York, New York
posted by RVM Enterprises Inc.
VIEW ALL »
ebook marino cover

SPONSORED CONTENT
Download the “Next-Steps Guide For Those Who Failed the Bar”
Studying and preparing for this exam the same way you did the last time will likely get you the same result. This eBook is here to help. Download it here.

MARINO LEGAL ACADEMY

BONUSES

New York Partners Unscathed By MoneyLaw?

Ed. note: This is the latest installment in a series of posts from Lateral Link’s team of expert contributors. Ryan Belville is a Principal at Lateral Link in New York, focusing exclusively on associate and partner placements with Am Law 200 …
Are Associate Bonuses Squeezing The Lateral Partner Market In Cali?
Download Your Free Copy Of ATL’s Solo And Small Firm Compensation Report
Clerkship Bonus Raises: Three Is A Trend
Firm Details The ‘Special Bonus’ It Will Offer To Close The Cravath Gap
Matt Shinners, Manhattan Prep LSAT Instructor

SPONSORED CONTENT
The Language of the LSAT: Develop Fluency to Tackle the Test
Did you know that you can get 10 percent of the questions wrong on the LSAT and still be in the top 2 percent of scorers? With a margin for error like that, you know this test is hard.

Above the Law How Appealing ATL Redline Breaking Defense Breaking Energy Breaking Gov Dealbreaker Fashonista MedCity News
© 2016 Breaking Media, Inc. All rights reserved. Registration or use of this site constitutes acceptance of our Terms of Service and Privacy Policy.

This entry was posted in Big Data, corporate intrusion into our private lives, Informal Legal Education, International Corporate Law?, Privacy Notice USA LAW, Rule of Law, Self Learning. Bookmark the permalink.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s