The global digital realm has witnessed a radical shift in how businesses collect, process, store, sell, and share consumers’ personal data. Global data protection and privacy regulations revolve around businesses applying a privacy-first approach and ensuring that users’ rights are protected by adhering to core data protection principles, such as data minimization, data accuracy, transparency, and data security.
These require businesses to be open and transparent with their users about their data processing activities and keep them continuously informed. This can be achieved with the help of a privacy notice, privacy policy, privacy statement, or fair processing notices.
Read on to learn more about Privacy Notices in the light of the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), what information it needs to include, and how to automate it.
What is a Privacy Notice?
A privacy notice is directed externally. It explains to clients, customers, website visitors, authorities, and other interested parties what the company does with personal data. It provides information regarding the categories of personal data handled, the legal justification for processing personal data, and the data provided to third parties.
A privacy notice typically describes an organization's data processing practices and what website visitors can expect. It informs the users regarding their personal data, how it is collected, how it will be retained, what security measures the organization has adopted to keep their data secure, and how they can exercise their privacy rights as per applicable privacy laws.
To sum up, where a privacy policy instructs an organization’s employees, a privacy notice, on the other hand, explains to users and customers how the user's personal data is handled and processed.
What Should a Privacy Notice Include?
In the digital context, privacy notices must be provided at or before the point of collection of personal data. A layered approach is recommended to ensure full transparency. Privacy notices can be push-and-pull, privacy dashboards, or just-in-time notices.
As far as a privacy notice is concerned, the privacy notice or a link to the privacy notice should also be posted on the page where the data collection occurs whenever a website collects personal information online.
A detailed privacy notice should address the following questions:
- What is the business, and what does it do?
- Scope of the notice (to whom does it apply?)
- What are the applicable laws (according to the jurisdiction where the business is located or services are provided)?
- What personal data does the business collect?
- How does the business obtain personal data?
- How does a business use and process personal data?
- How does the business share or disclose personal data to third parties?
- How long does the business keep the personal data in the system?
- What measures are in place to ensure the protection and safety of the collected data?
- Whether there is a cross-border transfer of personal data?
- What rights do individuals have regarding their personal data?
- Who is the data controller for personal data?
- How does the business use cookies and similar technologies?
- How can the users access or control their personal data collected and indicate their opt-out or opt-in preferences?
- How can individuals contact the business?
- How will the business update the privacy notice?
What is a Privacy Policy?
A privacy policy is an internal document that controls how an organization handles personal data. It gives members and employees of the organization instructions on collecting, storing, and processing personal data and any rights that data subjects (users) may have in relation to their personal data and how to facilitate the data subjects’ rights fulfillment.
Learn more about What is Privacy Policy
Privacy Policy Vs. Privacy Notice
Privacy policies and privacy notices show an organization’s compliance with modern data privacy laws. These two terms are frequently used interchangeably, which is incorrect. It is critical to grasp the distinctions between the two as the purpose to which each of these is aimed is different.
Learn more here
Privacy Notice Under GDPR
A General Data Protection Regulation (GDPR)-compliant privacy notice is crucial for assisting clients in making informed choices regarding their personal data and essentially controlling how the business collects, uses, processes, shares, and discloses it.
As per Article 12 of the GDPR, businesses must notify the data subject of any information about the processing of their data and the rights available to them. This is considered to be the privacy notice requirement under GDPR.
This privacy notice should be in a concise, transparent, intelligible, and easily accessible form. The privacy notice should also be plain and simple, especially if the information is addressed to a child. It is advisable that the privacy notice is in a written or any other electronic form. However, it can also be given orally if the data subject requests so as long as the data subject's identity is proven by other means.
The GDPR emphasizes the use of visualization tools. As per Article 12 of the GDPR, information can be provided in combination with standardized icons in order to provide easily visible and intelligible information, and icons must be machine-readable where the icons are presented electronically.
The GDPR also specifies what details must be included in an organization's privacy notification, depending on whether the data is collected directly or indirectly by the business or an organization.
Collecting Information Directly from Individuals
As per Article 13 of the GDPR, the following information must be disclosed in a company's privacy notice if it is directly collecting data from an individual:
- The name and contact information for the company's representative, data protection officer, and other representatives,
- Contact details of the data protection officer,
- The reason the organization is processing a person's personal data, as well as the legal basis for that processing,
- If the processing is necessary for the purposes of the legitimate interests pursued by the organization or by a third party,
- Who receives the personal data,
- The specifics of any overseas transfers of personal data and the measures taken to protect them,
- Whether the requirement to collect personal data is a legal or contractual requirement,
- The criteria or period used to decide how long to keep data for,
- The rights to access, rectify, or erasure of the personal data of the data subject,
- The right to revoke consent at any time (where relevant),
- Existence of any automated means of processing or profiling, and
- The right to make a complaint with a supervisory authority.
Collecting Information Indirectly from Third-Parties
The requirements for notice when obtaining personal data from a third party is the same as when it is being collected directly from the data subject. However, when personal data is collected from other sources, the data subject must also be informed of the categories of personal data concerned and source of personal data, and whether or not it came from publicly available sources.
In addition, as per Article 14(3), if the business receives personal information from a third party, the business must inform the data subject of the information within a reasonable period after obtaining personal data but at least within one month.
Privacy Notice Under CCPA
Giving consumers notice is critical for complying with the California Consumer Privacy Act (CCPA). According to the CCPA's “notice at collection” obligation, businesses must inform customers of the types of personal information they are collecting and their business and commercial goals when personal data is collected or before gathering it.
CCPA Section 999.305 (b)(4) requires organizations to display a link to the organization’s privacy policy, or in case there is no link, it should provide where the consumers can access the privacy policy online. According to Section 999.305 (c), a privacy notice can also act as a notice at the time of collection, and consumers should be given a link to access it. If the business aims to sell the consumer's personal data, then it should also give a ‘Do not sell’ link on the website. The privacy notice should also provide an overview of the company's online and offline procedures for gathering, using, disclosing, and selling the personal data of consumers along with the rights available to the consumers and how to exercise them. Additionally, the notice should be in plain and straightforward language and accessible format that is easy to read and understandable by the consumers.
Usually, privacy policies serve as the foundation for privacy notice development. This helps an organization determine what is permitted and then inform external stakeholders what is being done. An organization must adhere to the terms of its privacy notice because regulators will hold it responsible for its commitments.
How Securiti Can Help
Securiti’s helps businesses to create as well as dynamically update their privacy policies or notices and comply with global regulations in a seamless manner.
It enables organizations to build trust with their users while quickly adhering to various intricate and constantly changing international privacy regulations. Some of the highlighted features include:
- Publish privacy notices quickly and consistently using pre-built templates as per applicable laws.
- Centralize management by tracking and monitoring privacy notices across multiple systems.
- Import and sync cookie policy to the privacy notice by importing the results of a live cookie scanner report.
- Quickly create privacy notices for customers’ websites using predefined templates (Example: LGPD).
- Manage versions by maintaining a version history for each privacy policy & notice.
- View, edit, and delete an already existing privacy notice.
- Enable language preferences on the privacy notice.
- Add sections for the following within privacy notice (Some of these sections are offered by default and optional for the user):
- Company & Website Information,
- List of glossary items or definitions,
- Data processing activities,
- Sensitive personal data processing,
- Data relating to criminal convictions and offenses,
- Automated individual decision-making using personal data captured,
- Cookie Policy for each cookie category, and
- Data sharing, retention, and security policies.
- Collaborate with various owners and co-owners to create a privacy policy and notice + an internal messaging channel, so all communication is restricted within the platform.
- Submit privacy notices for approval before they are published.
- Create and send automatic reminders regarding which privacy notices are due for review.
- Publish the notices.
- Change the look and feel of the privacy policy notice as per your organization’s branding.
Request a demo today to learn more.
