Personal data privacy is one of the most discussed and desired features in today's digital landscape. Corporations and governments all over the world have the full capabilities to collect and analyze data on their customers and use it for a variety of ends. The controversy over the ethics of data collection remains a hot topic in society today. While small businesses are not usual suspects for unethical data collection, it does not hurt to be upfront with your customers about any and all data collection practices. This can help build trust with your customers and make them more likely to opt for your services over a larger entity with more untrustworthy data privacy practices. Depending on the location of your organization, you may be required to comply with specific data privacy regulations. For example, European Union entities have to comply with GDPR, and California entities have to comply with CCPA/CPRA. You should definitely implement a privacy policy if your organization makes heavy use of e-commerce and other web-related services. It is appropriate to post your privacy policy in locations where customers can see it before engaging with your services, such as on your website's homepage or on the counter where your customers order from.
A good Privacy Policy should hit on several key topics:
- The name of your business, what products and services it offers, and its mission statement. Make sure to tie in a dedication to customer privacy rights with your mission statement.
- Specify exactly what kind of data your business collects. Even if the processing or collection of customer data isn't a cornerstone of your operations, you should still specify any data that may be collected for any reason. This includes PII such as name, address, and phone number, web data such as cookies and IP addresses, voluntary data such as form or survey answers, and financial data provided for purchases. A small business likely uses a third-party provider to securely handle financial transactions. Make sure to state this in your policy.
- Building off of the previous statement, make sure to specify what methods you use to collect and handle customer data. These include third-party processors like PayPal or Venmo for sales, cloud applications like Google Forms for surveys, and direct methods like website account creation tools and shopping carts.
- Clearly state the objectives you pursue with the data you collect. Make sure to be upfront and honest with this. Obvious objectives include processing and shipping of orders and customer relationship improvement. However, other common objectives include marketing mailing lists and fraud prevention.
- If your organization does use customer contact information to populate marketing mailing lists, always ensure that there is an opt-out option implemented and clearly communicated.
- State all third parties that you share customer data with. This is often the part of the policy that is of most concern to customers. Third parties that usually receive customer data include shipping/carrier entities, third-party payment processors, cloud platforms for mailing and content creation/processing, and analytics/mining tools. It is on you to be upfront and honest with the third parties you share data with in order to maintain public trust and legal compliance.
- Clearly define the length of time customer data is retained in your systems. Several standard time periods are adopted by most organizations. Records of orders and transactions are typically held for 3 to 7 years. Account information should be kept until a user terminates their account. Mined data for analytics should be kept no longer than two or three years.
- Outline the security controls you have implemented to protect customer data at rest and in transit. These include encryption on data storage, strong access controls on third party processing platforms, and regular updates and audits to systems.
- End the policy by outlining the rights provided to customers regarding their data. Any person that has their data processed, collected, or stored by your organization is referred to as a data subject. There are several data subject rights that should be afforded. These include the right to opt out of marketing, the right to erase their data, the right to request portability, and the right to access their data. The exact legal specifications of these rights depend on the applicable regulations for your business. As stated earlier, common ones include GDPR and CCPA/CPRA. The right of access is a notable right whose specifics vary depending on applicable regulations. A data subject access request is a request that can be filed by data subjects to retrieve information on what data your business has on them, how it is used, and for what ends. As you can tell, regulations for customer data can become confusing. Before drafting this part of the policy, it is highly recommended to contact appropriate legal representatives to determine all applicable regulations for your business.