Organizations that collect, process, or store any volume of consumer data SHALL write and publish a Privacy Policy that defines the types of consumer data collected by the organization, the methods for collecting, processing, storing, and sharing it, and consumer rights to opt out of data collection, as well as view and correct it

Control Type: Administrative

Control Function: Directive

Description: Businesses that collect, process, and store any consumer data have the responsibility to protect its confidentiality at all stages of the data lifecycle. Of special concern is personally identifiable information (PII), which is defined as information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked to or linkable to a specific individual. Examples of PII include addresses, bank account numbers, social security numbers, and driver’s licenses.  Protections for PII are heavily regulated by numerous standards and regulations, and a breach of an organization that results in the leaking of accumulated PII can have devastating consequences to the organization.

Going beyond PII, businesses greatly benefit from protecting all pieces of collected consumer data. Consumers are more likely to place trust in businesses that demonstrate a commitment to protecting their information, and as a result, are more likely to continue doing business with them. Therefore, senior management has a major stake in developing high-level policies and procedures for protecting consumer data. Creating and publishing a Privacy Policy is one of the key methods of demonstrating this commitment to consumer protection.

A Privacy Policy is a legal document or statement that outlines how an organization collects, uses, stores, and protects the personal data of individuals. It clearly defines the types of consumer data collected by the organization, as well as the methods for collecting, processing, and storing it. The privacy policy should also clearly inform consumers of their rights regarding the use of their data. Data privacy regulations like GDPR require organizations to provide consumers with options to opt out of data collection, as well as view and correct it. Regardless of whether a business falls under such regulation, it is a healthy practice to implement these consumer rights.

A Privacy Policy should adhere to the following structure:

What consumer data is collected? This includes anything ranging from names, birthdates, addresses, emails, banking information, usernames, geolocation, IP addresses, tracking data, and places of work.

How is this data used? Consumers want businesses to be open about how their data is being used. It should be limited to usage for delivering specified services, communications, and operational purposes. GDPR requires a lawful basis for every data processing activity. It specifies 6 Lawful Bases:

  1. Consent: The individual has given clear, affirmative permission
  2. Contract: Processing is necessary to fulfill a contract with the individual
  3. Legal Obligation: You must process data to comply with law
  4. Vital Interests: Processing is necessary to protect someone's life
  5. Public Task: Processing is necessary for a task in the public interest
  6. Legitimate Interests: Processing is necessary for legitimate interests, provided it doesn't override individual rights

Data Sharing. Consumers do not like it when their personal data is shared with third parties. Businesses should clearly state that they avoid the practice. If sharing consumer data is necessary to fulfill one of the lawful bases, the policy needs to clearly state these reasons along with the safeguards used to protect data throughout the sharing process.

Data Security. The exact controls do not need to be specified, but there should be a clear explanation of the overall methods for securing consumer data at rest, in transit, and in use.

User Rights: Consumers can request access to, correction of, or deletion of their personal information where applicable.

Data Retention: Personal data is retained only as long as necessary to fulfill its intended purpose or legal obligation. This statement needs to be backed up by creating and practicing a Data Retention Policy and associated procedures within the business.

Cookies & Tracking: If the business utilizes cookies and other tracking methods to collect web data, it should be disclosed here.

Third-Party Services: External services involved in any aspect of consumer data handling will have their own privacy practices for which the current organization is not responsible.

Policy Updates: The policy may be updated periodically, and the business needs to inform customers.

Contact Information: Users may contact us with privacy-related questions or concerns

User Acknowledgement: It is important to provide a method for user acknowledgement of policy terms. Since most privacy policies are posted on digital platforms, a checkbox or e-signature function is appropriate.

Businesses implementing a privacy policy should create a company mailbox specifically for privacy-related inquiries/communications, such as privacy@XYZCompany.org.

Once an appropriate privacy policy has been finalized, it needs to be shared with the public. Company websites should host a copy on topic-appropriate pages, such as checkouts on e-commerce sites. A standardized practice is to post a link to the policy in the website footer. Any kind of user account registration process to enroll in a business service should include a copy as well.