There have been some highly publicized privacy statement revisions.
Here are some lessons we are discussing with clients:
- Regulators are putting a high value on transparency and they are looking specifically at privacy disclosures. This is also evident from the complaints in many of the recent pixel-based lawsuits. It is good practice to prioritize putting your consumer facing notices in order. You also need to make sure that what you do in practice matches what you say you do.
- When data processing in multiple services overlaps considerably — or when a user is likely to use multiple services — it is better to consolidate the privacy disclosure into one document than to have multiple documents that overlap.
- Your target audience should be able to easily understand your privacy notice and actually understand what you are doing with their data. It is not enough that the document looks good. It needs to clearly, fully and accurately reflect your data collection practices. If you feel inclined to use vague language, you should ask yourself why. Is it a practice that you don’t know enough about? (If so, resolve to learn more about it and amend the privacy notice ASAP.) Or is it something that you think your users would reach badly to if they knew? (If that’s the case, you should reassess that practice. It is likely to give rise to causes of actions, including unfair or deceptive acts or practices etc.)
- The design and layout of the notice should be clear and user friendly too. It is helpful to include explanations.
- If you collect and process sensitive information, it is helpful to highlight those uses.
- It is a good idea to highlight customer tools, like the ability to delete personal data.