However, did you know this is only the case if you are subject to specific laws?
Privacy policies and the GDPR
Any discussion of data protection and privacy invariably begins with the GDPR (General Data Protection Regulation) – even when it comes to U.S. businesses.
That’s because many organizations process EU residents’ personal data and are therefore subject to its requirements.
Remember, the GDPR’s scope is governed by the location of individuals rather than the organisation.
So, what does the GDPR say about privacy policies?
Article 12 requires organizations “to provide any information … relating to processing [of] the data subject.”
Recital 60 adds that this information shall “give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing.”
Essentially, this means that you must create a provide policy to inform your customers about the types of data you’re collecting and what you’re doing with it.
A GDPR-compliant policy should also contain information about how you are collecting data – e.g. through a form, cookies or in person.
What about other laws?
The GDPR is just one of many legislations that includes requirements for privacy policies.
Indeed, the U.S. data protection landscape is comprised of a patchwork of sector-specific and medium-specific laws, including some that address telecommunications, health information, credit information, financial institutions, and marketing.
Certain states have enhanced their privacy laws to require that businesses operating under their jurisdiction meet specific privacy and cybersecurity standards.
If you do business in, or target citizens of, California, Connecticut, Delaware, Michigan, or Nevada, you may be subject to certain laws that require you to outline details of data processing.
Likewise, if you deal with sensitive information or special categories of personal data, certain laws may require you to outline details of processing related to this sensitive data.
By clearly outlining your data handling process, your customers and stakeholders can get assurances that you’re using data responsibly – giving you a competitive advantage.
Privacy policies also provide a framework to help you understand what you can and can’t do with personal data. With clearly defined rules, you’ll avoid data handling practices that may put sensitive information at risk – thereby mitigating the possibility of a data breach or privacy violation.
Be careful about what you include
If you do, you are subject to UDAP (Unfair and Deceptive Acts and Practices) statutes. These are enforced by state attorney generals, and some have the power to issue large penalties.
Our Privacy as a Service solution is an ideal option for those who want comprehensive advice on their data privacy strategy.
With this subscription service, our experts review your policies and processes, ensuring they comply with relevant laws, including the GDPR, CPRA (California Privacy Rights Act), and New York’s SHIELD Act.
A version of this blog was originally published on 13 March 2019.