Why is a privacy notice important?

What is a privacy notice?

A privacy notice is a document provided to users that describes how an organization collects, uses, retains, and discloses customer data.

The language around privacy notices has been in regular evolution beginning with the first privacy law. The first California privacy law required a website to post a “privacy policy” rather than a “privacy notice.” More recent California privacy law still refers to online privacy policy or policies, but also informs organizations that they should provide certain information in a “notice at collection.”

While this language may be confusing for many, it is now common to refer to outward facing privacy documents as privacy notices. In contrast, a privacy policy is generally defined as the internal facing documents or policies that inform employees and contractors how to interact with customer data. In short, a privacy notice is an outward facing document that may not address every detail of how an organization interacts with customer data, while a privacy policy is a set of documents and policies covering all aspects of interaction with customer data.

Why do I need a privacy notice?

In certain circumstances, privacy notices are legally required. In other cases, third-party vendors require a privacy notice. Consumers have come to expect a privacy notice that addresses what customer data an organization collects, uses, retains, and discloses. Finally, a well drafted privacy notice should minimize exposure to privacy litigation and negative press.

Federal Law

In the United States, federal privacy law is sectoral. This means that there is no single comprehensive federal privacy law, but rather several different privacy laws focused on specific business fields. Today, there are federal privacy laws in sectors related to financial information (Graham Leach Bliley Act or “GLBA”), education information (Family Educational Rights and Privacy Act or “FERPA”), medical information (Health Insurance Portability and Accountability Act or “HIPAA”), children's information (Children's Online Privacy Protection Act or “COPPA”) among other sectoral law. The Federal Trade Commission also exercises limited authority over privacy notices and privacy policies in general as it relates to unfair or deceptive acts or practices. Each of these federal laws have specific privacy notice requirements. In broad strokes, each of these federal privacy laws require notice to individuals when collecting their data.

State Law

On a state level, privacy laws often constitute a mix of sectoral and comprehensive law. As an example of state sectoral laws, California passed the California Financial Information Privacy Act which was specifically intended to provide greater privacy protections than those provided under GLBA, the federal privacy law addressing sensitive data held by financial institutions. In some cases, these state sectoral privacy laws have notice requirements. As a result, if an organization finds itself subject to any sectoral federal privacy laws (for example GLBA), it should also be aware that there may also exist state privacy laws addressing the same sector (as illustrated with the above example the California Financial Information Privacy Act).

The first attempt at a comprehensive state law was the California Online Privacy Protection Act of 2003 (“CalOPPA”). As technology progressed, this law was first amended in 2013, before new comprehensive California privacy law called the California Consumer Privacy Act (“CCPA”) was passed in 2018. The modern state trend is to pass comprehensive privacy legislation. These comprehensive state laws generally outline specific requirements for a privacy notice. If an organization is subject to these state laws, and violates their notice requirements, they may be subject to statutory and civil penalties.

State penalties for violating privacy law vary depending on the state. California's CCPA may penalize violators with an injunction (a court order restraining the violator from continuing their illegal behavior) and with a civil penalty of $2,500 for each violation or $7,500 for each intentional violation. Additionally, the CCPA allows California consumers to bring a civil action against organizations under certain circumstances. In a civil action, the CCPA allows recovery of up to $750 per consumer, per incident, or the actual damages, whichever is greater.

Third Parties

In addition to state and federal laws, third parties will often require a privacy notice in order to use the third party's services. When users visit a website that uses Google AdSense or Google Analytics the user's web browser sends information to Google. As a result, Google requires that AdSense and Analytics users maintain a privacy notice that includes information about Google's information collection practices. This requirement is explicitly laid out in the Google documentation for AdSense and Analytics. Organizations should also be aware that when they embed video content from YouTube, the user's browser may also send information back to Google through YouTube.

Google is not the only third-party service provider that requires a privacy notice. Third party payment processors, among others, require a privacy notice. As an example, Stripe a payment processor All Terms uses, requires Stripe users to “provide all necessary notices and obtain all necessary rights and consents from their End Customers to enable Stripe to lawfully collect, use, retain and disclose the Personal Data as part of the Stripe Services.”

Anytime a third party collects information through an organization's website, this collection should be included in the privacy notice. In part, this is because third parties require such notice, but also because this requirement is often explicitly stated in comprehensive state privacy laws.

Consumer Good Will

Consumers now expect an organization with an online presence to maintain a modern privacy notice. A well drafted privacy notice will build consumer confidence and incentivize users to patronize an organization. Additionally, privacy related issues often become a matter of public record either through civil litigation, enforcement actions by state attorney generals, FTC consent decrees, or news reports. Any organization understands the value in a domain name and brand and the damage a permanent negative record of privacy missteps. Together these issues provide a powerful incentive for organizations to prioritize their privacy notices.

Best Privacy Notice Practices

  • Conspicuously post a link to your privacy notice. Common practices to ensure conspicuous placement include: a link containing the word “privacy”; contrasting color or symbols in the link to draw attention to the link; and posting this link on every page where customer data is collected. Organizations should also be aware that certain state privacy laws require additional links or notices beyond merely a privacy notice.

  • Maintain a current privacy notice. Organizations often change their data collection practices. A privacy notice must also reflect these changes, or the organization may run afoul of both privacy laws as well as state and federal unfair or deceptive trade practices.

  • Maintain a document history of privacy notices. In the event of a dispute with a user, organizations should be able to accurately determine their privacy notice and internal policies for that time frame.

About

All Terms is dedicated to helping all business types generate and maintain privacy compliance. Our tools were developed based on years of legal working assisting businesses with their privacy needs. We know that privacy compliance is a ongoing task. We've leveraged our experience to lower the costs of generating privacy documents by automating the generation process. Our years of experience in the legal field have exposed the limitations of having an attorney or a team of attorneys ensure accurate and continuous compliance. So we've leveraged technology to make sure that you have access to afffordable, continuous, and available tools to maintain compliance.