How to Develop a Privacy Policy

This year, new data privacy laws will go into effect in California, Colorado and Virginia, with more states expected to follow this legislative trend. As businesses grapple with a myriad of compliance issues relating to these new laws, one requirement that many tend to underestimate is the creation of an external-facing privacy policy. In fact, some companies may be tempted to simply copy another’s policy, upload it to their websites, and call it a day.

However, a privacy policy is more complex than a basic template document featuring standard legal provisions that apply to all businesses. An effective privacy policy should accurately and transparently reflect a company’s end-to-end data privacy practices, policies, and procedures. Put differently, a privacy policy does not set or drive a company’s data privacy and security practices; it merely describes them. The privacy policy is the cart, not the horse, which often comes as a surprise.

Understand Your Data Privacy Lifecycle
In order to develop an accurate and meaningful privacy policy, a company needs to have a thorough understanding and documentation of its end-to-end data privacy lifecycle, including a firm grasp of its data processing practices, including:

• How each piece of data is collected (such as via websites, web forms, email, automated processes, and mobile apps)
• What categories of data are collected (commercial, biometric, Internet activity, unique persistent identifiers, etc.)
• What specific data is collected (name, address, email address, phone number, IP address, etc.)
• How informed consents are obtained and stored
• Whether the company collects any “sensitive data,” such as credit card information, social security numbers, health information, etc.
• How the company uses each piece of personal data collected
• Where each data subject resides (U.S.  – CA, CO, VA and other states, Canada, EU, etc.) to evaluate compliance with all applicable data privacy laws
• Third parties to whom personal data is disclosed and/or sold (including “subprocessors”)
• How each third party will use, disclose, retain, and delete such personal data, as specified in the company’s agreement and data processing addendum (DPA) with each third party
• How the company uses cookies, web beacons, pixels, and other tracking mechanisms and devices
• Whether the company is able to process “do not track” elections
• How the company will process requests from data subjects to access, delete, and change their personal data
• What the company’s data retention policy is, where data is stored, how (including encryption details), and how/when such personal data is deleted
• What are the company’s data breach notification and remediation processes
• Whether the company uses anonymized, de-identified and/or aggregated data and, if so, for what purpose(s)

Conduct a Data Mapping Exercise
Much of this information can be derived by conducting a data mapping or data inventory exercise, a critical prerequisite to a company’s understanding about what data it collects and how this data is used, stored, protected, shared, and deleted. When conducting such an exercise, it is important to include all types of personal data coming into a company, whether through sales, marketing, human resources, or other avenues. A complete data mapping can help a company prepare a more accurate and transparent data privacy policy.

Without this information, a company risks possible noncompliance with applicable state, federal, and international privacy laws, which can result in enforcement action by regulatory authorities, along with fines and penalties. It is therefore worthwhile to consider investing the time, money, and resources necessary to understand a company’s end-to-end data privacy lifecycle through practices like data mapping before drafting a privacy policy in order to ensure the policy is as accurate, transparent, and complete as possible. For companies lacking in-house data mapping capabilities, there are third-party vendors who can assist with this critical process.

If you need help developing a privacy policy, please contact Virginia Fournier at [email protected].

A member of our California team, Virginia Fournier is a seasoned technology and privacy attorney with over 25 years of legal and business experience in the industry. She regularly handles a wide range of technology-related matters, including negotiating and drafting complex licensing agreements, compliance, data security and privacy, and intellectual property issues. Virginia is also a Certified Information Privacy Professional (CIPP/US).