This week, the IAPP posted a new privacy statement. We encourage our members not only to read it so they can better understand what personal information the IAPP collects and how it’s processed, but also to provide feedback, comments and suggestions on what might be missing or how it can be improved. After all, you’re all pros at this!

Sausage-making process

Privacy statements need updating routinely, as they are intended to truthfully reflect to consumers an organization’s ongoing practices of handling personal data, which are, of course, subject to change. The IAPP’s privacy statement needed a complete overall.

It was last updated in 2014, for one thing. For another, we wanted to anticipate requirements imposed upon the IAPP under the EU General Data Protection Regulation coming into force in May 2018. It seemed appropriate to refresh the policy and include GDPR obligations all at once.

The first step in preparing the policy was conducting a data inventory and mapping exercise. The information from this process informed the statement.

Key members of the Privacy Working Group reviewed the statement for accuracy and substance, including the directors of our Membership, Marketing, Publications and IT teams, as well as our Canadian managing director. Ultimately, so did the IAPP’s CEO.

We admired how other organizations (such as Microsoft, for example) serve up their privacy statements in small portions, with the option for more as needed. This is one way organizations try to avoid overwhelming their users with excessive legal jargon and text, and aim to provide clear notices of privacy practices. The IAPP’s privacy statement, therefore, has a table of contents to navigate, small summary paragraphs for each section, and the option to read more in-depth descriptions of our practices where appropriate. Credit our IT director, Stephen Schoepke, with the layout, design and functionality.

Covering many legal bases

The IAPP is a not-for-profit corporation organized under the laws of Pennsylvania in the United States. Like every organization, we are subject to federal and state privacy laws that govern our data collection and use practices, and should we suffer a breach we would be obliged to follow the breach notification laws of all the states where affected data subjects live.

Our privacy statement is therefore intended to reflect the requirements of those states that have legislated privacy statement content, including California’s Online Privacy Protection Act, which applies to organizations that collect, through the internet, information about individual California consumers.

The U.S. Federal Trade Commission, which enforces the Federal Trade Commission Act, has produced the greatest body of jurisprudence regarding privacy notices. In particular, the FTC has found misleading or inaccurate statements in such policies to constitute “deceptive” trade practices under the Act. These are compiled in the IAPP’s FTC Casebook.

As a not-for-profit, the IAPP is not subject to the FTC’s enforcement jurisdiction, but its findings guide the IAPP in its privacy and security practices.

Further, although the GDPR is not yet in effect, we drafted the statement in its anticipation. Perhaps it may serve as a guide to others trying to reflect GDPR compliance in their organization’s public-facing privacy notices.

The GDPR does not, in fact, require websites to post privacy statements as explicitly as CalOPPA does. Instead, privacy notification requirements are found throughout the GDPR in its “transparency” requirements. Article 5, for example, requires that personal data be “processed lawfully, fairly, and in a transparent manner,” and that it be collected for a “specified, explicit” purpose. Article 12 requires controllers to provide information to data subjects in a “concise, transparent, intelligible and easily accessible form, using clear and plain language.” Article 13 sets forth information data subjects should receive “at the time when personal data are obtained,” and includes a list too long for most opt-in notices and more easily covered in a privacy statement. Recitals 60 and 61 offer similar guidance.

Notices of data processing practices in a privacy statement do not, of course, satisfy all the obligations for informed — or express — consent. Privacy statements contain many words and consumers may not take the time to read them at the moment they offer their personal information in exchange for goods or services. The GDPR, therefore, encourages the use of “standardized icons in order to give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing.”

For help with consent compliance, I cannot recommend enough the excellent and useful “UX Guide to Getting Consent” the IAPP published earlier this month in collaboration with Create with Content.

Conclusion

Privacy statements are important, reflecting the organization’s data handling practices, as well as its culture of transparency. They are not, as many privacy listserv conversations have debated, the same thing as internal privacy policies. Those, too, reflect privacy culture and practices and require careful and collaborative development, followed by extensive training and awareness.

I hope you’ll feel free to provide feedback and comments on the IAPP’s privacy statement to me at dpo@iapp.org.